There’s one question we run into a lot here, it takes many forms, but it always boils down to “What should I learn?”
The following questions are usually, “Where do I learn it? What resources are there?”
The CSC’s core mission really boils down to “prepare students for careers in private and public industries,” so answering these questions is kind of why it exists; We’re here to provide those answers (and there will some helpful links at the bottom), but there are many answers we can’t give you. That’s what this post is about: helping you determine your path and choosing which opportunities to pursue, because you can’t pursue all of them.
Take a look for a moment at the Upcoming Events of the newsletter, or the CSC Event Calendar. Less than half the days of October *don’t* have CTFs running. Moreover, there are only 7 days in October that don’t have some sort of event on them.
So what do you do?
First, you really have to ask yourself where you want to go in security. There are tons of different specializations in security, but for today we’ll divide it into general skill sets.
Red Team & Research- Red teams need to be able to recognize vulnerabilities and then exploit them. At its most basic level, this checking version numbers against exploit-db and employing scanners. At its most advanced level, this is analyzing binaries and inventing new exploits based on raw understanding and creativity. The work can be extremely frustrating, but also extremely rewarding.
Blue Team & Compliance- The key responsibility of Blue Team is to harden the company’s infrastructure. This is making sure that everything is patched, the network is configured securely, and that all company policies are being enforced. Blue Team needs to have a strong understanding of the specific organization’s services, and how to navigate that organization’s framework to get things done.
Incident Response & Forensics- When something slips past the Blue Team, the Incident Response team has to clean up their mess. This means IR has to have a strong understanding of digital law, and what actions to take in order to properly generate a report of every machine that was compromised and how it was done. This work can be very stressful, especially if the attacker may still be in your systems, but it is in very high demand.
Operations- These are the guys who build out your infrastructure and make sure everything stays up and running. Your system administrators and network administrators aren’t always considered part of the security team, but ultimately everything they configure will need to be hardened by Blue Team and inspected for vulnerabilities. The work can be fun and not usually as stressful or frustrating as the others, but more and more of this is getting outsourced to the cloud.
This is important because as Alan Wennersten puts it, “Security is a field about crystallized intelligence.” Nobody can predict exactly how a web app is written, much less some Microsoft code, but if you’ve previously attacked similar applications (or hardened them), you should have a pretty good idea of where to start.
If you already know what field you want to go into, it should be pretty easy, but here’s the kind of stuff you should be going to separated by field.
Red Team & Research- CTFs. CTFs. And more CTFs. Actually, if it says “competition” at all, you should be there. There are a few fields you might not need as an attacker in these competitions that you shouldn’t worry about learning too much, like steganography or advanced CS concepts/algorithms, but the more you know the better, because you need to be able to HACK ALL THE THINGS.
Blue Team & Compliance- You’re going to want to go to all the corporate talks and events you can, especially anything involving Cisco and Cloud Security. Physical networking and technical writing are are also very important for you because of the work environment, and these events can help you with that as well. The best thing you could for your technical skills would be competitions like CCDC or other Attack-Defense style games.
Resources for Learning CTF Material:
Resources for Practicing CTFs:
More Practical Challenges: