HackerSploit
The three-year cybersecurity career roadmap presented in this video provides structure and guidance for those looking to operate in the cybersecurity industry, specifically in the offensive side of things. The roadmap emphasizes the importance of learning fundamentals, setting time-defined goals, and applying positive pressure on oneself. The first year focuses on operating systems, including Windows and Linux, while the second year involves learning about pen testing execution standard, home labs, and virtualization. In year three, the focus shifts to red teaming and offensive cybersecurity, including antivirus and ETR evasion, Active Directory pen testing, and C2 frameworks. The roadmap stresses the importance of consistent learning, documentation, and practical application, with an emphasis on gaining a deeper understanding of technologies and assessments rather than rote memorization.
In this section, the creator of the video introduces the concept of a three-year cybersecurity roadmap, inspired by a guide from Black Hills Infosec. He explains that while the original guide was helpful, there was no clear roadmap on what to do beyond year three. He goes on to say that he has developed the roadmap based on his experience in the field, not just as a penetration tester and red team member, but as an educator and mentor to many people in the industry. The goal of this guide is to provide structure and help individuals learn the fundamentals and core concepts required to successfully operate in the cybersecurity industry, specifically in the offensive side of things. The creator also notes that this roadmap excludes mention of certifications, which are important but not the sole way to assess knowledge, skills, and abilities.
In this section, the importance of setting time-defined goals and applying positive pressure on oneself is highlighted. The speaker emphasizes the significance of fundamentals and explains that having knowledge in various fields such as networking and operating systems is crucial for success in cybersecurity. The target audience is identified as high school and college students, technology professionals wanting to pivot into cybersecurity, and even those from non-technical backgrounds looking to switch to cybersecurity as a career. The first year is recommended to focus on operating systems.
In this section, the speaker recommends learning about Windows and its components, including the kernel, NT kernel, and registry, as well as how to secure and harden Windows. The speaker also emphasizes the importance of understanding how Windows password hashes are stored and overall authentication operates. It is crucial to avoid being biased and keeping an open mind towards learning. The speaker strongly advises becoming comfortable with the Windows command line and setting up and configuring an active directory environment. Similarly, for Linux, the speaker suggests learning how to install, configure, and administer Linux, learn about the Linux kernel and its operating systems, as well as the importance of Vim, SED and REGEX.
In this section, the speaker outlines a recommended career path for those interested in cybersecurity. He recommends first learning keyboard shortcuts and how to use Git for source control. Next, he recommends learning operating systems, starting with Windows and moving on to Linux. After operating systems, the speaker recommends learning how to script in Bash and then in Python. He emphasizes the importance of actually building things and learning by doing, rather than just watching tutorial videos. Finally, he stresses the importance of networking in cybersecurity.
In this section, the speaker recommends starting with understanding The OSI model and its layers. It is important to learn about primary protocols like TCP/IP and how they work, particularly in TCP’s three-way handshake. Understanding common ports and important services like FTP, SSH, SMTP, DNS, and SMB is also crucial. The speaker suggests getting gear like routers and switches to set up a home network and learn how firewalls work. Additionally, understanding security fundamentals like basic security concepts, vulnerabilities, risks, and calculating risk, as well as security standards like CIS and NIST are also important. The second year involves learning about the pen testing execution standard, which is a crucial step for anyone going into pen testing and red teaming.
In this section, the speaker recommends using industry-standard methodologies like the Mitre ATT&CK framework, the Cyber kill chain or the OWASP security testing guide as a guide for web application pentesting. Additionally, the speaker advises setting up a home lab in year two to experiment with virtualization, such as Virtualbox or VMware and to learn about DevOps and containers. Pen testing fundamentals like learning about netcat, socat, reverse shells, and bind shells are crucial, as well as learning about passive and active information gathering on the target. Finally, the speaker recommends learning about network and board scanning, using tools like Nmap and Rustscan, and understanding active hosts, board scans, and the Nmap scripting engine.
In this section, the speaker discusses the process of enumeration where tools are utilized to gather as much information as possible after identifying open ports and services on a target system. The speaker recommends learning about web enumeration, SMB enumeration, SSH, vulnerability scanning, and vulnerability assessment reports. The speaker also highlights the significance of learning about exploitation and post-exploitation frameworks like Metasploit and PowerShell Empire. In addition, the speaker suggests learning and understanding buffer overflows, common vulnerabilities, and the common vulnerability scoring system (CVS), responsible disclosure, and post-exploitation techniques. Lastly, the speaker emphasizes the importance of practicing and participating in CTFs to gain experience.
In this section, the speaker emphasizes the importance of learning and improving cybersecurity skills through various sources, such as books, videos, blogs, and platforms like Hack The Box or Try Hack Me. They recommend filling gaps in knowledge by writing reports or blog posts, which can lead to career growth and help others in the field. They stress that taking notes and documenting progress is crucial for growth and improvement in one's craft, and finally suggest that learning the fundamentals of web app testing and bug bounties can be valuable for cybersecurity professionals, even if it's not a specialty.
In this section, the speaker suggests developing a simple content management system to learn about common vulnerabilities and mistakes made by developers in web app development. By intentionally leaving out secure code processes integrated into the system, learners can identify their weaknesses in assessing web apps and testing them for vulnerabilities. The speaker also recommends learning from bug bounty creators such as Jason Haddix and nomsec to get started in bug bounty programs. It is suggested to start with bug bounties locally with web apps that one is familiar with instead of participating in competitive platforms like HackerOne. Learners can identify their strengths in identifying vulnerabilities and get involved in the community by writing blog posts about their experiences.
In this section, the speaker covers the recommended focus areas for year three in a cybersecurity career. If interested in red teaming or offensive cybersecurity, the speaker suggests learning about antivirus and ETR evasion, Active Directory pen testing, port forwarding, pivoting, and C2 frameworks. Developing fishing infrastructure and resource development is also important. The speaker emphasizes the significance of adversary emulation, malware analysis, and reverse engineering. While these fields require prerequisite knowledge and development experience, they can be learned through debugging and disassembling, among other skills, and practical examples will be provided. The speaker notes that all of these skills are essential for red, blue, purple teamers to understand and prepare for real-world scenarios.
In this section, the speaker presents his cybersecurity career roadmap and emphasizes the need for a goal and a realistic timeline in achieving success in the field. He suggests setting a guideline or roadmap for yourself on what you should know after three years, with the understanding that it can expand to three, five, or six years depending on individual circumstances. While acknowledging that people will go off on tangents during the learning process, he encourages a consistent return to the roadmap. Additionally, he suggests being thorough but realistic in setting daily and weekly study goals, including vacation and downtime, and ultimately aiming for a more profound knowledge of technologies and assessment, rather than simply being able to recite memorized information.
No videos found.
No related videos found.
No music found.