Submitted by cyberjerry42 t3_10nnsg4 in IAmA

Hello! I am currently an Offensive Security analyst (also known as Pentester, ethical hacker or red teamer). I specialize in Web and network penetration testing.

My job is mainly about finding security holes within my companie's software and exploiting them.

I have got into this field autodidactically. I have been teaching and researching ethical hacking by myself for roughly 8 years prior to 2020 and have gotten enough skills to get into the field officially. Before this I was a welder who specialized in beer brewing equipement. The only official diploma I have is a GED!

If you have questions about my self-learning path, Cybersecurity or even about my transition from traditional labour into the tech industry, AmA! :)

105

Comments

You must log in or register to comment.

motoboxer1 t1_j69txrb wrote

Where did you even start when looking to change career paths without additional schooling? I'm currently a truck driver in a similar situation, having only a high school diploma, and I want to make a similar change.

17

sweatycat t1_j69uphx wrote

The OP has submitted proof confidentially.

1

cyberjerry42 OP t1_j69uwo2 wrote

So my "entry path" was through customer support actually! I stumbled on an job ad. I was searching specifically for support jobs as my "plan" was to get in support. By starting in support, it enabled me to get a better knowledge of how things worked inside the company so that I could lay out my next steps. As you may assume, tech companies work very differently than other traditional jobs!After about a year of being in support i managed to gain enough knowledge about our product to fully understand it. Came a point where the company's security department hosted a CTF and I knew this was my time to shine :) I ended up winning it and that's how I got my foot in the door so to speak. The security manager now knew my name a and that I had some skills so that's when I started pushing more into showing interest in that field. After a few weeks of getting to know the security team better and showing active interest into security (even from within the security department), I applied internally and got the job!!

28

Security_Chief_Odo t1_j69vdzp wrote

Do you have much experience creating exploits or finding CVEs, or mostly just using Metasploit and other scanning tools?

What do you enjoy most about being offensive security?

3

IAmAModBot t1_j69w7wx wrote

For more AMAs on this topic, subscribe to r/IAmA_Specialized, and check out our other topic-specific AMA subreddits here.

1

cyberjerry42 OP t1_j69wfgk wrote

I have to start by stating that I do not work for a security company, I work as a pentester for a tech company.

The company which I'm working at is very active on preemptively detecting CVEs (with tools like Snyk for example) in our dependencies so Metasploit doesn't really fit the kind of pentests we typically. Most of our products are either built in-house or heavily scanned before being deployed. I do however use tools that are a little more focused on certain aspects to do my reconnaissance or to catch reverse shells when it comes to it like Burpsuite, Pwncat, Feroxbuster, etc..

In terms of findings CVEs, since I only do research on our own product, I don't really "find CVEs" which will get indexed into the CVE databases. I will typically find flaws that will get patched before reaching production or that will quickly get hot-fixed.

I have to say what I enjoy the most is the cliche "I'm in" feeling. It's usually very hard to find serious vulnerabilities in well designed product but once in a while you'll find a very unique or odd way of making something do something it's not supposed to and it's an insanely satisfying feeling :) I am also a staunch believer that what I'm doing is "for the greater good".

5

Elbynerual t1_j69wg4i wrote

You don't have any cyber security certifications?

4

cyberjerry42 OP t1_j69wyrp wrote

Oh and I do create exploits but typically they are very specific to the use-case and wouldn't be very useful in the wild. I do however work on some internal projects that should be made open-source at some point but they are typically more recon centric.

2

Em_Adespoton t1_j69xwjo wrote

I’ll just add to this that starting off in support and moving to IT security is a very common career path. For red teaming, you’ll need some people with a CS background, but mostly what you need is generalists who can think laterally and pick up how to use new tools in novel ways. Support is also a viable way into blue teams, but you’re going to need a deeper understanding of systems and structures (and basic coding and analysis) to play defence.

9

CellBoth8566 t1_j69z95n wrote

How do you approach responsible disclosure when identifying vulnerabilities in a company or organization's systems?

2

Monster-Zero t1_j69zj2i wrote

What are they paying you versus your area's cost of living?

4

cyberjerry42 OP t1_j69zzev wrote

I will typically try and reach out in multiple ways to the company to initially let them know of my findings. I will search for a `.well-known/security.txt` or an official security team email. If I can't find anything, I'll try and reach out directly to people via their work email. I will then wait a couple of weeks and try to reach out once more but this time broadening my "scope" even more (sending emails to more people and repeating those I've sent initially).

If after a few weeks/months, I will try and reach out via public channels to the company (twitter, facebook, instagram).

I have yet to fail to reach out to a company (gladly) so I have thankfully never had to weigh the pros and cons of exposing a vulnerability publicly for the "greater good" of the community so I can't really say what I would do if all channel of communications failed.

1

cyberjerry42 OP t1_j6a0fst wrote

I personally think I'm paid very well but I know some countries tend to be more cheap on security analyst salaries for whatever reason.

Where I currently am based, I'd say you could live decently (if living with your significant other) on ~50K. I'm currently paid 90K and I'm on the "high-end" of the typical entry-level pay.

6

cadenhead t1_j6a9xg8 wrote

Back in 2012 what were your best sources of knowledge acquisition to develop your skills in ethical hacking?

6

LusoInvictus t1_j6ahdzv wrote

What are the most overseen cyber security exploits that even big corps might be missing that you have come across recently? Have you ever reached out and exposed an obvious one?

2

cyberjerry42 OP t1_j6ai3ss wrote

It's not an exploit per se, more of a security issue but I often find secrets that are accidentally public. By secrets I mean API keys, AWS access keys and stuff like that. Put into "wrong" hands (depending on the privileges the key has) it can lead to disastrous results. I've done so multiple times especially when it comes to something I've found on one of our clients websites.

Another one which isn't much of an exploit but more of a widespread bad practice is phishing resilience. A LOT of companies don't take phishing exercises seriously despite most of the recent cyber attacks using them as an entry point into a company's systems.

1

cyberjerry42 OP t1_j6aik77 wrote

In terms of actual exploits I've come across an unusually high number of debug werkzeug consoles that were publicly available via a "staging" subdomain (ex: staging.mywebsite.com). The pin authentication can be relatively easy to bypass in certain circumstances essentially giving an attacker direct access to the machine to run malicious commands.

3

Daocommand t1_j6ajqv3 wrote

Wait… You entered into Cybersecurity as a Pentester? If that’s the case, I hope you know you are apart of like .25% of people who get into cybersecurity initial entry as a pentester. Well done!

6

cyberjerry42 OP t1_j6ak0q8 wrote

I sure did! And wow I never knew the ratio of pentesters to other cybersec related jobs was this low that is insane! I'll be even more grateful for having the job I have :D! Thank you!!

5

Daocommand t1_j6ak4xt wrote

Knowing what you know today, what would you say are the top items to self-learn prior to entry into Cybersecurity and what do you think is more important to learn after entering as say an apprentice into cybersecurity? I am currently transitioning out of the military and I really want to enter into the cybersecurity industry.

Do you have any general tips for where to get the best information to self-learn? I see you utilized Udemy in another comment. Thank you for your story and for posting here on Reddit.

2

LusoInvictus t1_j6alcto wrote

Oh that's interesting. I feel like Pentesting is more of a novelty and "nice to have" as I've never came across anyone with your skill set and I've worked for public listed companies as Software QA for the last 10 years.

You feel it's a niche and there are still a few willing to follow your path? Are you guys typically contracted to audit the companies rather than work with their IT teams? Any reference anywhere to what your typical work week looks like? (I'm considering branching out to it hence my questions xD)

2

cyberjerry42 OP t1_j6alsm0 wrote

What a great question! I would say the first things I would recommend learning is Linux in general. It's widely used and an industry standard when it comes to running something on server. A lot of pentesting tools are also designed to run on Linux so one way or another, you'll have to learn you way around a terminal. Tryhackme has a great Linux/Unix terminal learning path for free (iirc).

Secondly, try to understand the basics of programming. Python and Javascript will come very handy for automating simple tasks/scripts. It's also very important to be able to read code to better understand what's going on under the hood. Codecademy and Freecodecamp are great ressources for this!

Third, I'd recommend knowing the basics of network protocols. Udemy is a great ressource for that type of stuff. Understand the HTTP protocol, getting a rough idea of how TCP/IP works, etc.

After entering as an apprentice, work on making yourself processes for when you'll be pentesting. Take notes on what was successful, what was not and you'll eventually start seeing patterns of things that come up often. This will be the stuff you'll wanna start working with when going on a new engagement as they'll often be your entry point into a more serious security flaw.

1

cyberjerry42 OP t1_j6amv3e wrote

I wouldn't say it's a niche line of work per se but it's very hard to find good pentesters. A lot of companies tend to hire external firms to pentest their products and get the "stamp" for compliance reasons. Offensive security is absolutely not for everyone as it requires you to think outside the box in very odd ways sometimes.

I've known a lot of absolutely genius devs that could whip out the most complex algorithms without sweating it but they had a very hard time imagining "well if I chain X with Y and finally Z it can easily lead to compromise of A". I'd probably make a shit full time software dev but boy can I break their stuff hahaha

> Are you guys typically contracted to audit the companies rather than work with their IT teams?

I would be tempted to say yes. It's important to keep in mind that most tech companies out there don't have a giant budget and 1000 employees so they often can't afford a red team. This in turn creates a big demand for external contractors such as Cobalt. I personally, however, prefer to work for the company itself rather than being a contractor as it lets me not only find the problem, but help them fix the issue.

1

cyberjerry42 OP t1_j6anbcl wrote

For you question about my work week:
My week will usually start with looking at all that wasn't resolved from the week before. I will then look at what pentests I have coming up (I usually have one per week lasting more or less 3 days). Pentests are always my weekly priority. Throughout the week I'll also follow up on bugs I've previously raised a flag on to make sure they get fix. If I still have time I'll typically plug the holes by working on one of our various projects which can range from a cloud infrastructure scanner to an API key sniffer (for example)

2

cyberjerry42 OP t1_j6arevi wrote

It's my absolute pleasure! Twitter is full of great security researchers like JohnHammond, TheXSSRat , TheMayor and many more (see who they retweet and follow them). There is also a lot of great content on youtube such as Liveoverflow and the cyber mentor. Finally, once you feel like you're ready for the real deal, head over to hackthebox. They have some great challenges. In terms of CTFs, I highly recommend going to picoCTF. You'll pickup great tricks there. BurpAcademy is also a great starting point for webapp related stuff!

3

Usual-Owl-9777 t1_j6azn2s wrote

Quick question:

I recently signed up for online IT classes, an intro to programming course. It cost about $500 and now that I'm taking the class I'm upset because it's literally links to youtube videos and the professor doesn't give lectures. We just follow along with the book and watch youtube videos. The book is 5 years old.

Am I right for being upset about this, or is this what an IT course should look like?

1

Wise_Length_6920 t1_j6b4bqi wrote

I have a ged and am self taught like you, how did you find a break without the BS degree and or certs and experience? Are you freelance or do you work for a company or firm?

2

cyberjerry42 OP t1_j6b4rxc wrote

I didn't have a perfectly straight learning path but something in the lines of:

Learning linux -> Learning the common network protocols -> Getting some solid bases with a couple of programming languages (in my case python, golang, js) -> getting some experience with various tech stacks by running stuff on my homelab -> competing in various CTFs and gathering exploit knowledge through that -> bunch of online classes on security basics

1

cyberjerry42 OP t1_j6b5epx wrote

I work for a company! I'd say tech is a perfect place to come in without a degree. A lot of companies would rather hire someone who's good (however they got good) than hire someone purely because of their degree. You obviously may have to grind a little more and try to make yourself shine but that's the hardest part. The second you got your foot in the door, you can officially put you're a security analyst and a bunch of doors open :)

If there's a will there's a way! The path to making it may be a little wavy and tiring (you'll doubt yourself, you'll fall into tutorial hell and have trouble getting out of it, etc..) at times but when you get into the industry it's very worth it imo.

1

jzllc t1_j6c1qls wrote

Just a few questions, if you don't mind.

  1. I am interested in this field. Where do you suggest I start at? E.g. Specific YT Channel, UpSkillSet, HackThisSite.com, etc.
  2. Does the majority of this job include working full-time at an IT company, or private contractor (such as Fiverr.com) or contract work such as 6-month contract?
  3. I have been in the IT field for several years, primarily troubleshooting, administration, AD, minor security modifications, etc. How long would you estimate someone with my experience before actually being able to seek employment as cybersecurity?

TIA. -Jason

2

External_Throat2680 t1_j6cy1h6 wrote

What was your age when you started learning hacking? What do you think would be the amount of time required for the one with no background in tech to learn to become a hirable person?

2

Ramewolf t1_j6d1t3g wrote

Does welding pay good? Is it easy to find work as a welder?

2

KaFitalist t1_j6d5ysy wrote

Hi, does one need to learn programming and code a lot? I am very good at math, and good at general problem solving, but cannot imagine myself getting misty-eyed about the Art Of Computer Programming.:) I Work at a retail hardware that requires high level people skill to deal with diverse demographics-- explaining them how to solve THEIR hardware problems. Not hi-tech, but you get the picture. So I was wondering if a person like me be a good fit for a cy cybersecurity career.

2

cyberjerry42 OP t1_j6db5be wrote

Great question! I say I must've started poking arround at something like 15-16.

It kinda depends really as there are many external factors and it kinda depends on the free time you have and the speed at which you progress. I'd say maybe a few years if you're only learninf on the weekends. But it also heavily depends on finding a company that's open to someone with no prior cert/diploma

1

cyberjerry42 OP t1_j6dbksb wrote

So this is a tricky question. Where I'm from you'll either make a crapload of money by going welding in mines or you'll be poorly paid if you want to work not too far of the city.

In my case I couldn't go work in mines. After 7 years as a welder I barely made more than someone who worked at McDonalds. Odds are this answer is completely useless if you're in another country tho. I (think) there's decent cash to be made in the US.

1

cyberjerry42 OP t1_j6dc5vq wrote

I think you may be a great fit! Offensive cybersec more specifically really needs you to think out of the box and this is typically where hardware folks excel as we usually often need to think out of the box when trying to fix a big mechanical problem. You can't just "reprint" that big gear with a broken tooth lol

I would say start somewhere like Codecademy or Freecodecamp. Also, once your fluent enough, try to automate some small tasks you think are annoying to manually so. Small projects will teach you the most!

1

cyberjerry42 OP t1_j6dsar3 wrote

  1. I'd say JohnHammond, TheCyberMentor and XssRat are great starting points on YouTube. Network chuck also has some interesting linux videos.

Before getting into hacking per se, get to know your way arround linux as you will be using it a lot. Tryhackme has an amazing Linux track.

  1. The majority of the job is typically either at tech companies (not necessarily IT, in my case I work for an AI centric company) or working as a contractor for a bigger security audit company (cobalt.io for example)

  2. Your AD experience will be priceless. Especially if you specialize in network pentests. In terms of time, kinda hard to say. You can either grind your way through being very good and "showing what you got" or you can start collecting certifications. I sadly couldn't really give a time frame because it can change so much from one person to another. If you can get your Sec+ and your OSCP with prior networking knowledge (AD for example) you should be good to apply.

1

I_Saw_What_Ya_Did t1_j6epbqv wrote

Getting ready to start taking adult hobby/beginner welding classes. Any tips?

2

cyberjerry42 OP t1_j6erag2 wrote

Your welds will be crap in the beginning and it's normal. Don't get discouraged.

Pay very close attention to what is going on in your weld puddle (the part of the metal that's in fusion while welding it) as it will give you every detail you need to know if you're moving too fast/slow and if your settings are correct.

Always get comfortable! This is very important. Welding is nearly all about steadiness (to get a good looking weld) so make sure you're always comfy before laying a bead.

Wear coton clothes. You will catch fire and it's ok, you just don't want anything melting on your skin.

Avoid staring at someone welding without your helmet on. Getting a flash is not joke.

And finally, have some fun!! Especially if it's as a hobby. If left the welding world because of the industry but it is an amazing hobby of which I'm still in love with :)

2

focusedDude24 t1_j6jdjg9 wrote

sorry if I bombarded you with questions

1: What got you started down this field? Were you always a computer and tech person but decided to specialize?

2: When you started, how were the first few years like? Was it a process of watching YT and reading up on doc pages/write ups? How did you know what skills you needed to develop, was it learn as you go?

3: Do you have any certs and if so which ones do you recommend?

4: What skills are must haves on the resume and more specifically how did you build up yours?

5: I started doing HackTheBox and plan on signing up for NCL this year, do you think these are worth it? Do you have any suggestions for someone who wants to become a SOC analyst?

1

cyberjerry42 OP t1_j6jy0fe wrote

  1. Always a tech person! Always loved messing with various computer related stuff and getting my hands dirty to see what more I could do with X,Y or Z. Or trying to host a website just to "see how it works" and stuff like that.

  2. It was rough to be honest. This image describes it best. You start to learn bits and pieces to the point where you can glue stuff up but don't quite understand it. Then comes the point where you start to understand it and you realise just how much you actually understand jack shit lol

It was mainly a process of "uh, I wonder how to do this. Let's try!" and then being exposed to more stuff I didn't know and trying to learn about those too. Mainly through YT, various tutorials and reading solutions to some Capture The Flag challenges.

  1. I don't as of now but I'm working on it. Sec+ and OSCP are kind of industry standards despite them not being super up to date. HR will typically look for those. To actually "git gud" tho I recommend the PNPT.

  2. As stupid as it sounds, having a good Google-Fu will take you places. Just show how fast you can learn and how much you're willing to do it. Showing some knowledge about linux, saying you have a homelab and stuff like that can help as it shows hands on experience. If you won a prize at a CTF that's also a good to know.

  3. Not familiar with NCL sadly. And I'm not familiar enough with the SOC analyst role to be comfortable giving you advice sorry :(

2