Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

  • stevedidwhat_infosec@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    6 months ago

    You’re in luck! Cybersec people, for the most part, love sharing what they know/have done with each other. Many believe in freedom of information and find value in open collaboration. We just wanna show you the whacky thing we did with what we had.

    The biggest resource I’ll share with you is membership with ISAAC. Find whatever category you fit into here and push to get your org membership, if you don’t already. This puts you into a huge working group with your industries’ peers and they will have all sorts of resources for you to use including discussions, meetings with pros, etc.

    There’s also SANS who has some free stuff (check their Reading Room) but also has classes (paid, expensive, but veeery worth it imo, again if you can get buy-in)

    Outside of the paid membership options, there’s still a lot of good options:

    • MISP is a great threat intel sharing platform, but will require some setup as a product (free && opensource). Take this one slow, you don’t want data leakage. Start small and locked down, gradually open up as you gain buy-in/trust/confidence.

    • Cybrary IT is a free+paid learning platform, good stuff here - lots of diversity including business stuff

    • OWASP - more so for web-app security, still good knowledge to add to that toolbox

    • OpenSecurityTraining - heard some good things about this site, I think you may enjoy it - I have not used it myself, but please let me know if you have any problems/reasons you don’t like it.

    Then there’s always the classic CTF/Hack Challenges websites out there which let you get real experience with red-teaming/bolstering your knowledge of attacker TTPs (Techniques, Tactics, Procedures):

    • HackTheBox - challenges for practicing your skills. No hand-holding, just a sandbox for you to play in. They have academy offerings (paid, and a new service, recommend skipping unless you can get buy in from the company/have a team who would benefit from a bulk-license purchase), regular free boxes to challenge yourself with, etc

    • TryHackMe - this one is also CTFs but its more so lesson based/training stuff

    • Heard good things about KC7 as well, seems to be more threat hunting/blue team focused (blue team = defend, red team = attack)

    • LetsDefend - Free + paid options, more blue team stuff, great for SOCs which may or may not hit your mark.

    Hope this helps you out, biggest thing is getting integrated with the community, reading the news (religiously), and managing burn out. Security is an uphill battle, but we roll this boulder for others who cannot. Respect your body and take care of your mental, or you will burn out and scar yourself. LMK if you need anything!

    • stevedidwhat_infosec@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      Forgot to mention the NIST Framework, oy vey. This one is pretty good and is an excellent resource, albeit rather scary lookin’ on the surface. Very good resource, and will definitely net you some cred in your org.