Learning How To Learn Cyber

- 6 mins

TLDR: it takes tremendous time, effort, and discipline to learn and become good at cyber. (shocker)

After graduating and starting a new big boy gig, I’ve taken the time to reflect on my previous experiences of my cybersecurity education – what worked best for me, what didn’t work, and my thoughts overall.

Stay involved

If you surround yourself with the right people, you’ll be learning so much in such a short amount of time. Not just because the knowledge of others will rub off onto you but you’ll develop the right mindset to push yourself and be in the right place to share your knowledge.

When I was a student at Cal Poly Pomona, I joined a cybersecurity club called SWIFT. To be honest, it weren’t the workshops or the meetings that had the most value to me. It was being able to meet like-minded people and work with talented individuals in projects and competitions. One thing I realized is that when you’re in a group with talented teammates, don’t be that one person to drag the entire team down. Learn how to be accountable for yourself and contribute good value to your teammates. (Hopefully everyone on your team has the same mindset as well)

Don’t just attend conferences and put them on your resume. I’ve heard countless times from “adults in the cyber industry” that if you volunteer at a cyber conference then companies will be “scrambling to hire you”. What they say is just a ton of bullshit. It is great to attend events and even volunteer for them if you wish. But it takes more than showing up to land a job in cyber.

There’s like a million things out there. If you’re new to Linux, https://cmdchallenge.com/ and OverTheWire are great resources. For the more initiated, TryHackMe and HackTheBox are two really great examples of hands-on labs for learning technical skills.

However don’t just grind TryHackMe or HackTheBox. Do something else, like create a home lab or make a new tool, something besides structured learning. You don’t need super expensive hardware - a Kali and Windows VM are enough to learn. The effort that goes into your own exploration will improve your raw knowledge of cybersecurity and familiarity with the tools and techniques that you may come across in your cyber journey.

Also - don’t think about learning cyber as a roadmap. I guess that’s one of the biggest issues I have with TryHackMe as it’s simply too guided. It’s still a great resource, don’t get me wrong, but don’t get tunnel-visioned into thinking that all you need to do is capture some flags and finish a room to learn about cyber. Maybe take a dive into HackTheBox. No balls.

Make sure that you’re actually learning about the concepts and techniques. Take good notes - don’t just copy and paste command output and take screenshots. Make a deliberate effort to understand what’s going on and the inner processes of how some things work (e.g. how does a Kerberoast attack work?)

What about certifications?

It’s debatable. Certifications definitely make you a better job candidate but most certifications are not a great representation of your skills. Some hands-on certifications like OSCP, CRTO, etc. may be valuable more than certs like Security+ or CEH, which are all MCQ.

Certs are good to get past the HR stage but further down the interview stage, it’s a hit or miss. While some folks praise certifications as the holy grail of cybersecurity education, others will claim that the OSCP is useless.

The one exception is if your job requires security clearance. Then yes you must absolutely get something like a Security+ or CISSP. But besides that, get certs, they definitely help, but focus more on technical knowledge and familiarity with hands-on topics.

No-lifing over cybersecurity

Something that I’ve always thought about for a while is in tech, it’s a hidden expectation that you must do coding in your free time in order to be successful. Cyber also has that same expectation.

But do you have to spend every waking hour of your day on HackTheBox? Probably not.

Depending on your schedule, 1-2 hours to grind out HackTheBox is a reasonable amount. If you have the mental power to spend 8+ hours on a box, then go for it. Obviously, the more time you spend, the better. I’m not saying you HAVE to spend 8+ hours on HackTheBox a day. But at least spend some time dedicated to the grind.

Do you have to be passionate about cyber? No, but it definitely helps.

Personally, I don’t care too much about being reading into current trends of AI taking over cyber jobs or keeping up with the latest John Hammond videos where he shills about PlexTrac and other random software. But I do enjoy the amount of tradecraft that goes into red teaming and coming up with unique ways to solve a problem. I think that’s what keeps me going in cyber.

I don’t think you HAVE to be passionate about cyber, but there is some raw, intrinsic motivation and desire for self-improvement that is kind of required to get good at cyber.

If you’re a current student, it might make more sense to allocate more of your time to learning cyber. From the wise words of Brandon Sakamoto - “You need to not have a life in college to have a life outside of college.” But once you’re outside of college, then depending on your situation it gets increasingly more difficult to make time for cyber.

Cyber is difficult

Cyber is difficult. It’s a highly specialized topic that requires extensive knowledge in multiple fields of technology.

@sinusoid on Twitter mentioned something that resonates with me:

If you want to learn about cyber, read a book or a blog post. Take certification exams. Do HackTheBox. Build your own AD attack lab. But what makes someone god-like in cyber is the time, effort, and struggle they put into their craft, and how much they’ve gone to hell and back to achieve their goals. The journey is difficult and painful. But don’t give up. It’s worth it, trust.

Taylor Nguyen

Taylor Nguyen

Cybersecurity and other stuff