I have been asked a few times over the years about which resources I recommend for someone to start learning cybersecurity. Last time I ended up sending an email with about fifty links and while it was somehow not blocked by their spam filter, I realized I should just put them in a blog post so that the next time I only need to send one. Now that the question has come up again, I’ve finally written it.
General Information Security
Both Microsoft and Google maintain security blogs with detailed posts on their latest research. The Project Zero team have their own blog for their research here. Bruce Schneier, one of the designers of the Twofish encryption algorithm, maintains one of the most famous security blogs online. In addition to the daily security related posts, he has also published numerous books on the subject and speaks at events. I was lucky enough to attend a talk he gave at my university a couple of years ago. One of the designers of another AES finalist (Serpent), Ross Anderson, contributes to the Cambridge University Security Research blog.
Active Directory is one of the most important topics for anyone working in Windows security. The adsecurity site is one of the best resources for learning about Active Directory security. Additionally, SpecterOps have produced some of the most powerful tooling for mapping Active Directory for Red Teaming and post very good information on their blog. Jared Atkinson also posts the most comprehensive information on detection engineering I have found on there.
If you are interested in malware analysis or you’ve started dreaming in assembly language, these resources may be helpful to further your abilities. Hasherezade’s blog is an excellent place to start, it is chock-full of helpful tips on reversing and has a post with resources for getting started, which I won’t duplicate here. For more, Malwaretech and Malware Unicorn’s websites are strong resources, both also produced challenges to give hands-on practice.
When you have completed those challenges, more “crack mes” can be found online, some sites with a bunch are listed on this Stack Exchange post. Stack Exchange is generally a quality resource for all jobs in IT.
Infosec people rely on good threat intel in order to combat advanced threat actors. CrowdStrike, Mandiant, Talos and Red Canary are some of the best known names in the business and all of their blogs are worth a read.
Digital Forensics & Incident Response
A topic close to my own heart, this is probably one of the hardest areas to get experience in without an internship because the data you need to be able to analyze is generally highly sensitive. SANS courses are recognized in the industry but are aimed at companies paying for their employees. Incident Response is a role which involves such a wide range of technology that pretty much whatever you learn can be applied to your job. Some of the best resources are Sarah’s blog on mac4n6 and Inversecos blog.
Some additional tips are to learn Operating Systems internals so you can tell the difference between normal and bad. Learn about “Cloud”, Active Directory, networking, at least a little programming/scripting, regex and Splunk. For tools, start by learning Eric Zimmerman’s and X-Ways.
Not all education needs to put you in debt. University is an excellent way to network with folk from big companies but if you are currently in high school or looking for a career change and want to get into Cyber Security, teaching yourself some of the basics can help you choose the right course for you and save you time and effort. If you are lucky and work hard, it may even allow you a more direct route to your first job.
Portswigger, the creators of Burp Suite, host a free training platform. OWASP is well known and their top ten is a good reference for common web application security issues. The bug bounty platforms hackerone and bugcrowd have training courses on their sites. Hack the box has a huge selection of vulnerable virtual machines to practice pentesting on. The Mitre ATT&CK framework is probably the best known framework right now and very useful for understanding threat actor Tactics Techniques and Procedures (TTPs) and attack paths.
Because infosec demands you to keep learning, all the time, here’s how to do that while also doing chores. Security Now has been running for a long time and revisiting the past episodes is likely a comprehensive education in Cyber Security from the last decade and a half. Currently, episodes tend to be around the two hour mark and contain an overview of recent security stories and then a deep dive into the most interesting one. For something very different, Darknet Diaries has investigative journalist Jack Rhysider explore some of the coolest and most disturbing stories in technology.
Joking aside though, you don’t have to spend all your time doing “cyber”. In fact you’ll probably be much better and happier if you develop a healthy work/life balance and have other, entirely unrelated hobbies.
I am not a heavy user of social media, myself, but I allow myself a half hour of infosec twitter per day. There are too many folk on there to link in this post but you can always look through the list of accounts I follow for inspiration.
Live Overflow has been creating content on YouTube for a long time and I highly recommend going back and watching some of the old reverse engineering and binary analysis videos. Deviant Ollam posts videos primarily on physical security. Cerberus started a channel recently and posts interesting content in an easy to understand way.
I only use reddit a wee bit but some of my favorite communities to lurk in are:
Misc & off topic
There’s more I had to skip over than I could mention in this post so you should use this as a starting point and then go find your own favorite resources. It is also to be expected that not every resource in here is relevant for you, but I have tried to provide a broad overview which should include something for everyone. Good luck and enjoy, cyber security is the most fun, challenging and rewarding career I have experienced.