Tuesday, February 18, 2020

From Intern to OSCP Certified


I received a delivery from DHL on Friday, and there was a distinct lump in my throat when I opened the package which contained that pristine white cardboard folder, holding MY OSCP certificate. I had dreamed of seeing my name on those silver letters - and now I did.

I posted a photograph of the certificate on my LinkedIn and received an overwhelming response. So many people were curious about how they too could complete the PWK course, or they wanted advice - or to know how I transition from being an Architect (the construction kind) to a Pentester.

There are many blogs about the OSCP, which provide tips and advice on the best way to tackle the course and approach the exam. I read many of them, and found them helpful - and I encourage anyone reading this to do the same. 

I also want to state at the very beginning of this blog that I certainly do not claim to be an expert in any way whatsoever. I am continuously humbled by how much there is to learn, the people I have the privilege to work with, as well as the colleagues in this industry at large

Everyone has their own story to tell, this is mine.


PRE-INTERNSHIP


I discovered Security somewhat by chance from someone who has a deep passion for their career as a penetration tester, and would speak about it constantly. Their level of enthusiasm was undeniable and I found it contagious - my curiosity had been piqued and I couldn't help myself - I wanted to know more... and that's the thing, its at that exact moment where it happens:

Security needs to grab a hold of you, and you have no urge to escape it...

(NOTE: This may seem like an obvious thing to say, but is an important part of the process, because if this is not your passion - you're going to have a very bad time.)

I had no background in IT whatsoever, and needed to start learning some basics. Like many others who find themselves interested in 'InfoSec', I started on the journey to find out more.

This process seems to have two main parts. On the one hand, I was pleasantly surprised to discover that many good-quality resources exist - mostly for free. Coming from a university background, I found it incredible that so many people had so freely given their knowledge away for others to learn. On the other hand, there was just SO much to learn - where on earth do you start?

My advice is: just start. Somewhere. Anywhere.

If you are like me, previously with very limited knowledge, everything will seem disjointed at first and you will feel like you're learning many different concepts in isolation... but KEEP AT IT! Eventually, slowly but surely - all of these little things will start to link up and become clearer as part of 'the bigger picture', and the satisfaction of those 'ah-ha' moments is unparalleled.

PRE-INTERNSHIP TLDR:

  • Start with learning the basics: Cybrary is a good place to start as well as Over The Wire war games.
  • Keep at it!

INTERNSHIP PART 1


Just like there is no 'right' way to start learning about security, there is no correct way to get started in the industry. Get onto Twitter, and tap into the massive community that is active there, find out about the Pentesting Companies in your country, local industry events, then network, talk to people and get involved.

After I had spent a few months doing self-study, I emailed Telspace Systems to introduce myself and ask for advice about how to get started in the industry. The response I received from Manual Corregedor informed me about an upcoming Internship program and asked if I would like to participate in an interview. Thankfully, the little bit of technical knowledge I had managed to gain (while running a full-time business of my own) meant I met the criteria, and was offered a position at the Boot Camp which started on 4 March 2019. As they say - the rest is history (with a lot of blood, sweat and tears involved)!

I am aware that a lot of people experience considerable barriers to entry. If this is the case - please do not give up. Please keep trying to find the place that fits you... and when you do find that place and start to make progress, please keep 'paying it forward'. This is a huge part of the Telspace Systems "mantra". As far as I am concerned - opening doors for others and giving back is a big part of the process. Security would not be the awesome industry that it is, if everyone kept their magic to themselves.

INTERNSHIP 1 TLDR:

  • Get involved with the community, until you can get your foot in the door.
  • Keep at it!

INTERNSHIP PART 2


The internship at Telspace Systems is simultaneously gruelling, and immense fun. The Boot Camp is designed to be high-pace, and really test potential analysts in a variety of ways.

I have been immensely lucky to receive training from world-class pen-testers, who I have the utmost respect for. The knowledge that is shared during an internship is priceless, and can vastly accelerate your learning experience.

It is however worth keeping in mind that (during an internship) all candidates are given the same information to learn, and opportunities for growth - but the rest is up to you! You have to spend time doing self study, because there is not a single pentester on earth who can hand-hold an intern/beginner the whole way through the process... and it would not make sense to either - learning HOW to google, and deal with unfamiliar situations is part of this job!

INTERNSHIP 2 TLDR:

  • Learn a much as you can, and make the most of your opportunities.
  • Keep at it!

Junior Analyst/OSCP


The interns who successfully complete a Telspace Systems Boot Camp, are offered a 6 month contract position, and are required to start with the Offensive Security Penetration Testing with Kali course immediately.

During these 6 months, the Juniors get to shadow analysts on assessments, complete their studies, conduct research, attend events and learn more about the industry. At the end of the 6 month period, every Junior Analyst needs to demonstrate excellence in multiple aspects in order to receive a permanent position here at Telspace Systems.

This requires a lot of hard work and dedication - and comes back to what I said in the very beginning about passion for this as a career, not a nine-to-five 'job'. Your attitude has to be the former to make tangible progress.

As far as actual OSCP preparation goes: this my advice in a nutshell:
  • Read through the PDF manual. OffSec are trying to teach you certain principles contained in that document - so do not toss it aside. 
  • Manage your time carefully, because you get to keep the PDF, but your lab-time is ticking.
  • Choose the longest lab-time package as possible (or that you feel is suitable, depending on your skill level).
  • Spend as much time practicing in the labs as you can. 
  • Exploit manually, rather than relying on Metasploit. You will thank me when it comes to exam time and to your actual assessments in real life!
  • If your lab time runs out, consider extending it or signing up for a paid subscription like Hack the Box.
  • Have you Googled it? 
  • Keep at it, if that isn't working then you need to Try Harder!
Passing the PWK exam to become OSCP certified is no easy task. There is a lot to learn, and the actual exam is 24hours long, with a further 24hrs provided as Reporting Time. (NOTE: The PWK was updated last week, and the course structure has changed. There may be changes to the exam too that I am not aware of).

This is arduous, just because of the sheer length of the exam. So I recommend that you write this in a space where you feel comfortable, where you know you will have uninterrupted access to electricity and Wi-Fi (a real problem in South Africa unfortunately), have plenty of snacks, and finally - my mentor Dino Covotsos gave the great advice to take breaks and rest.

It can be easy to get fixated on a rabbit hole, and lose hours of time trying to get one thing to work. You will be amazed at the other possibilities that pop into your head during a short walk or nap!

Failing


This is a hard one to talk about, but something worth consideration BEFORE your first attempt.

There are people who do pass on their first attempt - I was not one of those people. If, like me, you fail an attempt at the OSCP (or any exam for that matter), being able to identify your weaknesses so that you can improve upon them means that you are still able to gain something from the experience.

However, failing was not something I was used to. It can be very discouraging and make you feel like you're not capable, smart enough, or meant for this industry; and it is admittedly difficult to keep those mind-monsters in check sometimes. Thankfully, some of the most talented people in the industry have openly admitted to feeling like they are failures, suffer from imposter syndrome and often feel demotivated.

It is absolutely normal to feel a bit rubbish after failing, but this is where your passion enters the equation again. Where you refuse to lose! Give yourself some time to accept failure, then pick yourself up and figure out your game-plan. All part of what we learnt during the internship process with Telspace Systems initially.

It is not possible to be good at everything, and it takes time and effort to learn any skill - thank you Dino Covotsos and Manuel Corregedor for encouraging me not to shy away from my weaknesses - keep learning and practicing.

FAILURE TLDR:

  • Failing sucks, but figure out where you need to improve.
  • Keep at it! 

Passing


Nothing on earth could compare to the feeling you get when you open the email from Offensive Security and see it starts with "We are happy to inform you...".

The hours of work, the dedication, the proverbial 'blood, sweat and tears' - are well worth it.

PASSING TLDR:

  • Passing is AWESOME, but never stop learning.
  • Keep at it!
Telspace Systems have given me a wonderful opportunity, which I am incredibly grateful for. I was delighted to be one of the analysts involved in our current Internship program, and to be able to pass some of my knowledge on to those hungry to learn.

Thank you to every single person who has been part of my journey. To those who have taught me, to those who have underestimated me and said I did not deserve this (because you made me fight for it harder), but mostly to those who understand that to achieve great things takes immense hard work and lead by fantastic example.

Post by Amy ManiĆ 

No comments: