Learning to Firewalk: Low to no cost resources to get into infosec

so a couple fair warnings I know at least one person in here has been through one of my talks before I bounce I move I jump I ask for a response so if you've got something to say say it please you know I prefer call and response I'll try to repeat it so that it gets caught by the mic but just a quick introduction learning to firewalk look to no-cost resources to breaking into the security industry the point of this talk is well that ok so a quick way of introduction hi my name is Brian Austin I am a security researcher at guide point security based out of Herndon Virginia I personally live in North Carolina Charleston has

been a favorite haunt of mine for the better part of my life love it down here it's gorgeous so if I've worn a couple of you if you see me like yell or make odd gestures my seven-year-old son is in the third row and he's ignoring me which is kind of normal but so this gives a little bit of information about me I'm an amateur main malware analyst I'm not very good at it but it's something I really enjoy and it's a skillset that I'm trying to add which is actually where some of the resources here come from I am a professional meme slinger I internet good as my sister-in-law says also a massive coffee addict if you can't tell

by the way that I'm kind of chattering this is actually my normal without caffeine but fair warning I and obviously I'm a dad because you know seven-year-old fair warning I finished this at 1:30 last night I'm not entirely sure what's on it so let's begin the views and thoughts that are expressed here are not necessarily those of my employer or of anybody in general in fact most of them aren't really thoughts or opinions they're just pointing to resources so Wow hey there's a transition there cool okay so how many of you guys have heard of the skills gap yeah it's something that's being very frequently talked about Forbes just released a massive article about it

aisaka has had done several security analysis analysis sees you know I don't know whatever the plural of analysis is releasing statements that say 59 percent of organizations receive at least five applications for each new security o-5 compare that with down here right here most corporate job openings result in 62 250 applications alright how many of you currently work in the security industry how many of you want to work in the security industry oh you poor poor souls you have no idea what you're in for how many of you have seen entry-level position requires two to three years of experience CISSP CEA man yeah okay so another quick disclaimer I don't have a degree like literally I've never done a

huge number of training courses I've never done a bootcamp everything I know I learned because I just played with computers growing up and I studied the certifications myself you know sometimes on books that were obtained through means that were let's say less than ethical but the point is there's now a wealth of free resources and low-cost resources for people that are like me that don't have the education that don't have the degree to get into the industry so this is not going to necessarily be how to bridge the gap from a corporate perspective right because the truth is there's a lot of you that are like me that you know you don't know what you're

doing you're just playing you're you're enjoying yourself this is for you to gain the skills because the truth is unless the resume has to go through HR a lot of companies are now moving away from the model that you have to have a four-year degree they're now looking do you have the skills necessary to perform the job so that's what this is about the cost of a degree just as kind of an instant I have three kids anybody parents yeah so you know you're just you're broke it doesn't matter what you're making you're broke yesterday just as for instance he my son over there ate an entire large pizza by himself for lunch and then we made

dinner and he had three helpings and then a handful of cookies and then another helping and I'm like good night where did he's put it the kids got better AB definition than I do it's terrible but this is the cost differential that you're starting to look at the average cost of a four-year degree in 1984 was $5,000 right in 2015 whose $25,000 private schools were a little bit higher 8400 in 1984 going up to 2015 forty-seven thousand nine hundred and ninety dollars and even with that you're barely making muster if you can actually get an entry-level position because again they're looking for two to three years of experience plus a bachelor's degree plus a CISSP plus a master's

degree and it's insane so anybody seen the meme that's been going around you know in 1960 a high school diploma would be able to provide a full a full-time job from a high school diploma could provide decent life for a family of six and 1970 a bachelor's degree guaranteed you a posh position at a nice corporate job and people to wait on you hand and foot for life in 2017 a master's degree and five years of experience and they're like oh I don't know maybe get a job at McDonald's or something first and unfortunately that's the world we're living in I don't know about you but I can't afford yeah yes or no I think this is

actually the total cost of the degree is it a per semester Wow nice thank you

I'm so glad that I went bill routed by online school mine is actually a little over six but we'll actually I included the university that I'm attending in here just as kind of a reference point but you know I'm broke and I have a degree to prove it and I just loved the butterfly dance poem the the haiku just captures the essence of trying to get a job after school so moving on the cost of certification these are just some average costs that I pulled off of Google at I think that was at like 12:15 last night and I had to leave home at like 3 or 4 to get here so and if anybody is curious I'm gonna try

to post all of my sources and my slide deck maybe tonight if I'm not dead to the world when I get home but I'll be posting this on my Twitter handle which you saw at the beginning it's a true and underscore a so these are expensive it's hard to get this stuff when I was first trying to get my major first job in the security industry I was aiming for the ceh you know I grew up insecure in computers and kind of had a feel for security and I knew that this the certified ethical hacker was kind of like a ii certification as far as industry reputation but I also knew that a lot of job postings I was looking at

required it so I self studied the crap out of that thing and I pass it yay but I don't have $3,700 I was scraping by just to make ends meet so it wasn't a possibility so it's expensive it's hard to do especially if you're working on a budget some of you guys are college students some of you guys are trying to break into the industry from you know I talked to one guy that kind of helped me get this talk rolling he was working in construction and had a master's degree in InfoSec and he couldn't find a job I've got another friend who you know tangentially related has a master's degree in architecture from Savannah College of

Art and Design which is one of the most prestigious arts institutes in the country incredibly and you know what he was masterfully doing masterfully working at the Ingles deli you know which is just a local supermarket where we're from that's the only job he could get so we're gonna walk through some different options I've meant to put up a slide that said hey these are the free resources but apparently I failed to do so so let's start off with probably one of my favorites cyberguy tea and just a quick caveat these are by no means a comprehensive list of the resources available these are just the ones that I personally used and have found very effective very

useful and very wonderful to play with right there's a thousand other ones and the trick is not necessarily any special juju it's learning how to google dork learning how to arrange a search for that I highly recommend going to Google and saying what is Google Dorking okay so cyber era taught IT is a phenomenal program because what it does is it actually has a series of free videos training courses that you can go through it embeds some quizzes and some feedback you've got forms you've got a lot of different ways to interact with other people it is entirely online and it is entirely free I'm not entirely sure what all of their revenue model is but it's a

pretty neat thing you can go in there and you can do anything from your a plus basic hardware and software certification all the way up to the CISSP cyber re is not focused on any particular avenue of computer systems it if it has to do with the computer programming DevOps IT security infrastructure they've got something on it so check them out by all means it's again something I use frequently the goal that they went out with he posted it in their about Us page we believe everyone deserves an opportunity and that opportunities should not be limited to people who win the birth lottery right I grew up in Appalachia anybody know anything about the Mount eastern

mountains the coal industry yes but that's further north that's up in the Virginia West Virginia area I'm in the North Carolina's Appalachian which what our industry is dependent on is moonshine yeah and chickens yes we have unholy numbers of chicken farms for a long time it was paper manufacturing recently it's become more of like a craft beer industry but all of the plants shut down about 15 20 years ago right as I was graduating high school and there's nothing there's no industry there yeah and I was actually 35 miles outside of Asheville which is almost an hour-and-a-half drive yeah awesome so I was stuck in an area that we barely had dial-up but you know we

had some extra computer parts my dad ran a small computer shop in our town so I got to play you know our version of Daddy's son dime was not driving four hours to Charleston it was hey let's go set up a land party and that's how I learned but I was very lucky in that whereas a lot of people aren't so this is an opportunity for you moving out Microsoft has actually started moving in this space this is probably one of the better ones so cyber re is phenomenal some of the guys that presenter a little bit drive but they're really good they're very very knowledgeable this is the Microsoft Virtual Academy this is spectacular

I mean this is not necessarily going to be pushing you into a Microsoft certification but this is going to push you into a level of expertise and these are the four main areas that they push you through developers IT pros data pros and students so it gets you get your feet wet into a much deeper understanding of Microsoft their operating systems their programs and other things they got this wonderful curated Learning Path setup so what you do is you go in and you tell them this is what my career goal is and it will actually help you map a series of courses that will get you from where you are to where you want to be which is

something I really love not to mention the fact that it is Microsoft so you know the information is up-to-date presuming that they finally did end of life XP security too many of you guys have used security tube over the years it is run by today I'm not even a tries last name my poor country tongue just doesn't do that he covers a broad sweep of topics and it's a very YouTube style so it's less curated but you can go through the mega primers which actually will focus you on a particular series to get you into a particular area right it's very useful very interesting sometimes it's a little bit hard to understand the audio quality

on a few of the videos is not great but again spectacular the video tutorials are top shelf and vivec does an amazing job packet pub packet publishing once a day releases their daily offering which is a free book some of these are usable some of them are not for me like flux architecture I can't code my way out of a wet paper bag and I don't need to thank God so I'm not super interested in that however you know Python for kids the when all's up here Android UI practical digital forensics I'm a threat hunter and I deal in explicitly blue team and purple team activities so I take things apart I figure out how they work and

then I look for them in client environments for those of you that did not know guide point security is a managed service managed security service provider so what my job is is I work with around 40 clients and I actively hunt in their environment for attackers for malware for misconfigurations and it's wrong for me yeah I love it it's really interesting but it does refresh every day at 6 p.m. Eastern Standard so if you miss it you miss it check it it's free you just have to sign up for an account and login so it's a pretty useful place and I hit it I try to hit it every day unless I'm traveling the only catch is it's a random book

there's no at least no sequence that I found sans orgs reading room how many of you have heard of sans sans the most trusted name and information security testing training and researching I don't know what their line is but the sans reading room is free it is a series of white papers that are actively being released going back to the beginning of Sands so you're looking at cutting edge research from people who are oh sorry ok you're looking at cutting edge research from people who are actively going through the sands courseware right so this is literally the bleeding edge of research and detection and red teaming so they've got it set up and catalogued based on

subject matter so you can go in and if your interest is you know say threat intelligence they have an entire catalogue of papers dedicated to nothing but threat intelligence malware research nothing but you know these are sometimes very very technical when I was first discovering this and was reading through it I had to read it and then on my you know had two tabs open and on one it was the reading room and on the other it was Miriam Webster's because I'm like okay what the hell does that even mean I can't eat that's 17 letters what okay but it's just really great hack the box eeyew these guys provide penetration testing labs they are a free training

lab program and they have some really awesome sponsors oh what's that little green logo over there yes I'm a shill I'm sorry they bright my paychecks but we do actually have a team that works through hack in the box some of our team members actually submit CTS to them for pushing and it's really really interesting really really fun they've got a great community and a great slack channel to discuss things and one thing you'll find for those of you that have are new or trying to get into the security community if you find somebody and you say hey can you teach me what you know I have not met many who were like you know shove-off knew most of

them are like oh dude guess what I will totally show you how this sells but I will not only show you that I will show you the entire framework of how I got there and it builds that foundation this is a community of volunteers this is a community of people who are committed to helping one another so welcome to the family by the way additional options this is a map of hacker meetups right trying to I will post the exact website I had to post Tampa hacker space because the one of the founding members is a friend of mine but hackerspaces makerspaces besides conferences like this one hacking meetups you can get a ton of

value from going and hanging out with people like you're doing right here and right now you will get to know individuals that you would not ever interact with right Twitter is a wonderful wonderful tool but until you actually meet someone and interact with them kind of is a different dynamic so highly highly recommend if you have a chance to get to one of these things in meatspace do it if you can't build one yourself most of the stuff is low-cost I've got a workshop in my garage again I have three kids which means no money no time no patience no hair so and you know two of them are daughters so ulcer one and ulcer too so I don't have time to get

out to my anchor spaces but what I can do is go onto Amazon and order a couple of Raspberry Pi some Arduinos and experiment and work on my own time and you know I work well self-guided mainly because I don't follow conventional pathways I'm very ADHD so I go here and then I follow the rabbit trail and then I end up up a tree and it gets really weird but it's it it works for me additionally vole hub if you are running a virtualization system volnov is your best friend right whether you are trying to get into network defense or red teaming volha is spectacular because what it presents to you is vulnerable virtual machines not only that but it

creates CTF based trying to think of what I could how to phrase it it's a CTF style for vulnerability research for blue teaming but also for red teaming so you can go in and you can actually look at this and does assemble what they've done not only test it out yourself but you can also try to secure that and then attack it again which is one of my favorite things to do because I'm boring and sad and they didn't have a really cool logo so sorry no pictures this one was actually suggested to me by the bull 369 who I don't know if he's here but I pitched this to a group of friends if you can find some slack

channels there's several spectacular ones I didn't put it in here but the open underscore Oh sent slack channel is really really good if you go in there make sure that you don't present like a bot otherwise we're all going to look at you kind of sideways if you see a cup of coffee and the name Rain Man or Rain Man a on a slack channel there's a fair chance that that's me my DMS on Twitter are always open so if you've got questions let me know also the cyber aces course so just like Microsoft sans decided that they were going to start making security a little bit more accessible as we saw the sans courses are obscenely expensive but

they're amazing they are absolutely spectacular so what they have done is they have selected certain courses from their curriculum and have open sourced it and are public domain day and you've gotten three modules that you can work with but it's geared towards blue teaming this is an awesome resource this is something that I really really love and obviously I like free stuff because I'm broke and I know some of you are the same so malware unicorn Amanda Russo works at endgame as a senior malware analyst I think that's her official title I don't know but Amanda is absolutely amazing if you've read any of her work or seen any of her interviews she's probably one of the most brilliant

malware researches I've ever talked to and she has decided that she would put out a reverse engineering malware 101 and 102 course these courses actually walk you through live reverse engineering of actual malware samples I'm sorry but that's cool to me you can find that at secured or github IO she also has all of her slides white papers all of the research that she has done and just as a quick caveat if you see her on Twitter you know send her a hey and they you know we appreciate you message because her group actually is her company has allowed her to open up and take on interns so she is live teaching people how to do this in a real

environment as a job I mean and malware research is not something that's easy to get into it's a very small field but iron geek Adrienne so Adrienne is the iron geek if you've ever been on his website he presents conference presentations he has white papers he has video tutorials Adrienne has done a ton of things Adrienne is also I think he likes this as his handle the info sex biggest shitlord Adrienne is a notorious troll he it's depending on what you think of it will depend on how you interact with him but the resources that he posts up are spectacular he has been doing conch the con circuit for better than I think ten years he's currently at

trusted SEC doing research for them but he runs the con circuit videotapes that much like Evan is doing and posts it for free so so you can't beat the resources that's where a lot of people have gotten their start so we have reached the end of the free portion if anyone would like to get off this crazy train now you're more than welcome to because we're about to go into low low prices all my hair's not slicked back enough for that sorry so some of the resources that there's an old saying you get what you pay for right so if you get something for free you might feel a little bit unsure of it and some companies are going to be like

well what did you give for this they're going to be curious about you know a little more about the the investment these are again a curation of really good things really good low cost sets the Humble Bundle Humble Bundle once a month releases a series of books that are related to the IT industry or the information security industry I think the one going on now is startups it's like the complete guide to startups a couple weeks ago they had one that was introduction to getting a job in IT and security so for 15 bucks you get like 20 books of the entire gamut really not only is it a really great resource they do some great work with that money

so as you pay you can actually opt to support various causes usually so my small caffeine cursus my kryptonite like I said I'm a coffee junkie now I've lost my train of thought anyway Humble Bundle has a wide variety sometimes it's really really useful sometimes not so much but they also have like gaming software a variety of different things that you could pick up from there's one other that's very related and I'm trying to remember it because I forgot to put it in that I've used before and it's escaping me but I will put it in the bibliography when I post this slideshow this is my University this is where I'm going to school they may not

be available in all states but it is entirely online this is Western Governors University currently the average cost is about $3,200 per semester there's not any books that I've interacted with I've going through the IT security program and there are several certifications that are actually built into the degree program so you're not just learning course credit it is for those of you that are curious fully accredited through whatever it is that I know sacs but I don't know the West Coast version I don't know I've got people raising their hand

you still have to go through an application process there's a couple of unique things about WGU that I'll cover in just a second but I think sometimes they require a little bit of experience in the field you'd have to check with the state admission requirements in North Carolina I know you know with no degree they took me on but you know I've been playing with computers since I was you know that tall check with them WGU edu and there's usually one of little chat admissions counselor you can chat with them and figure out what's going on but it's at least worth looking into yeah I am pursuing right now it's getting ready to change over because

they opened a new program that fits me better but I am currently in the IT program with a focus on networks and security but in January they are making in North Carolina available the network security information assurance program which is a little bit more geared toward blue teaming threat hunting that sort of thing so that's what I'm gonna be transitioning into does guide point require it no guide point took me and they were like hey we're just glad you're coming so like I said there's a movement in a lot of industry now to say do you have the experience can you actually do it yeah

in my case it's twofold it's more of a personal goal it was number one I need to do it and finish something because like I said I have severe ADHD so I have real bad impulse control issues so I will get started on something and I'll go over here and get started on this and get started on this my workbench is I have three are covered in projects and like half of them are projects I'm working on for my wife half of them are just something I'm doing for fun and then there's just a smattering of toys that I'm fixing and my wife is absolutely sick and tired of looking at them because I will start it and then I'll

get distracted and forget that it's there it's something I'm actively working on but another point is I have a son and two daughters and you know they're going to learn the hacking trade just by virtue of growing up around me but they may not want to be information security professionals I want to show them that no matter what what circumstances happen in your life it is entirely possible for you to do anything that you want to anything you put your mind to is completely within your grasp especially my daughters because you know we see it all the time that there's a lot of issues with diversity going on and I want my kids to know that even

that at 33 years old can go back to school with three kids and a full-time job and you know a ton of volunteer junk that I do and I can still finish that and finish my goals it's that's more the reason guide point doesn't require it but you know if something were to ever happen and I were to leave guide point I don't want to limit my career options but more I want to make sure that my kids know that it's something that they can do yeah

yes I was about to get to that thank you for bringing up because I got distracted and talking about my kids so the really cool thing about this is it is not credit hours based it is competency-based so you could go in and I know I went in and I took the opening the pre-assessment for a class my first weekend third weekend I took the final assessment and I passed and I was done I now have credit for that class because I have competency in that area the course mentors are spectacular they are there to provide encouragement they're there to help when things are you know hitting you in life they're not just going to be

like okay are you doing your schoolwork you know they're not your mama but what they are is an encouragement and a resource point mine checks in with me every week and it's been a real help especially like I said I'm very scattered so I'll knock the first two courses out in like two days and then it takes me four months to get the rest they're semesters are broken up into six month courses but because they are fully accredited it does also mean that that you are eligible for FAFSA student loans the whole shebang so wonderful thing at least in my opinion I'm sure there are other programs out there this is just the one that I know of and like I said

this is not a comprehensive list this is to encourage you to go out and find stuff you know this is a starting point for you O'Reilly Safari Books online it's a little bit pricey but oh my gosh the stuff you get so they are doing an individual free trial I think it's like 30 days and you can go through and you can read any book in their entire library but we have an arrangement

yeah yeah and working at guide point I expressed interest in a training program and they were like oh we have a partnership with them so if you are employed check with your boss and say hey I'm interested in this because there's a fair chance that there's a resource there that you just don't know about and if you don't know about it there's a really good chance somebody else doesn't so write it down write it down in a corporate wiki send out an email blast make sure that you know other people who are trying to move in the same direction as you know that there are resources out there again this is a community of volunteers yeah oh

five minutes oh dang a little bit quicker so the McAfee Institute no not that McAfee this is run by John josh McAfee he's a former incident responder and forensic investigator for I think he did work for the DoD he also did work for Amazon and some really interesting perspective it's so far I've been doing a couple of his courses so far it's less focused on like the nitty-gritty technical and more on the investigative procedures which you know most of us are nerds we don't need help with the nitty-gritty technical we need to help with you know how to process this how to set a process that is documental and understandable to other people especially executives CBT Nuggets they

are just a video courseware program wonderful tools lots of different courses most of its focused on certification but there's still a lot of very usable information in it it also again it gets you in the door you to be lord I get emails from these guys all the time most of their courses are about $15 a piece but they cover the gamut anything from programming out to how to speak Japanese so you know it's it covers a broad swath of everything so it's really interesting and useful additional resource is if you are looking to do home virtualization I highly recommend getting VirtualBox if you do not have it it is based on Java I am sorry I know don't shoot me

but Microsoft has trial VMs not only that there are some groups that if you sign up to do course mentoring with like I think I'll be discussing it in a minute but the cyberpatriots you will be working with kids in schools at-risk kids helping them to understand cyber security you get free access to Microsoft's imagine library which is really nice I am I've not gotten assigned to a school because I'm still in a very rural area but the great thing is you don't have to also go on site if you're available they can do remote mentor yeah yes yes catch me afterwards and you and I will discuss this VMware's ESXi platform is completely free you

have to register and you have to jump through a bunch of Hoops but you can download it and put it onto a system and run it as a hypervisor of course Linux and I've got a plug Tony Robinson's book at da 667 spectacular book it is not by any means a thin volume but it is a comprehensive volume training options here volunteer make a difference in someone else's life do something for another person the CyberPatriot program we just discussed but there's more than just that right there's at-risk kids in your neighborhood there's at-risk kids at your schools at your kids schools you can teach them basic computer skills it will help you it's not just a resume

builder but it helps build us up as a community and as an industry please you know find some time volunteer so the last thing I'm going to discuss is called through the hacking class this is a project that I am in the process of launching with Joe gray Joe is the one doing the OSINT course here so this is the official launching party that I'm doing at 95 miles an hour so I'm really sorry we will be discussing more information but what this is going to be geared toward is free mentorship free training we're going to be using a lot of these resources the goal is to get people who want to either expand their

skills or who want to get into the industry to come in and work with somebody who's already there and we're hoping that they'll recycle back and we haven't worked out all of the kinks with it but we're recycling everybody back in to mentor others what you do is you'll go in you'll choose a course path and they will assign you resources assigned reading and then you'll get access to the labs you'll get to actually do what you've been reading about the mint you'll write a report the mentor will look over the report they'll submit the report to the community and you'll get feedback our hope is that this makes everyone better as an industry and this

will be free there may be features added later but the core point is to build up the industry and to build up the community the conclusion this community is built on the backs of volunteers this community is you you heard Jack say in the keynote you are now part of the hacker family you're here you are a part of the founder circle of B sides each and every one of you is a founder circle of something you have the chance to make a difference do it make it your little corner of the world better place because that's where it starts thank you [Applause]