I received a delivery from DHL on Friday, and there was a distinct lump in my throat when I opened the package which contained that pristine white cardboard folder, holding MY OSCP certificate. I had dreamed of seeing my name on those silver letters - and now I did.
I posted a photograph of the certificate on my LinkedIn and received an overwhelming response. So many people were curious about how they too could complete the PWK course, or they wanted advice - or to know how I transition from being an Architect (the construction kind) to a Pentester.
There are many blogs about the OSCP, which provide tips and advice on the best way to tackle the course and approach the exam. I read many of them, and found them helpful - and I encourage anyone reading this to do the same.
I also want to state at the very beginning of this blog that I certainly do not claim to be an expert in any way whatsoever. I am continuously humbled by how much there is to learn, the people I have the privilege to work with, as well as the colleagues in this industry at large.
Everyone has their own story to tell, this is mine.
Security needs to grab a hold of you, and you have no urge to escape it...
(NOTE: This may seem like an obvious thing to say, but is an important part of the process, because if this is not your passion - you're going to have a very bad time.)
I had no background in IT whatsoever, and needed to start learning some basics. Like many others who find themselves interested in 'InfoSec', I started on the journey to find out more.
This process seems to have two main parts. On the one hand, I was pleasantly surprised to discover that many good-quality resources exist - mostly for free. Coming from a university background, I found it incredible that so many people had so freely given their knowledge away for others to learn. On the other hand, there was just SO much to learn - where on earth do you start?
My advice is: just start. Somewhere. Anywhere.
If you are like me, previously with very limited knowledge, everything will seem disjointed at first and you will feel like you're learning many different concepts in isolation... but KEEP AT IT! Eventually, slowly but surely - all of these little things will start to link up and become clearer as part of 'the bigger picture', and the satisfaction of those 'ah-ha' moments is unparalleled.
- Start with learning the basics: Cybrary is a good place to start as well as Over The Wire war games.
- Keep at it!
INTERNSHIP PART 1
After I had spent a few months doing self-study, I emailed Telspace Systems to introduce myself and ask for advice about how to get started in the industry. The response I received from Manual Corregedor informed me about an upcoming Internship program and asked if I would like to participate in an interview. Thankfully, the little bit of technical knowledge I had managed to gain (while running a full-time business of my own) meant I met the criteria, and was offered a position at the Boot Camp which started on 4 March 2019. As they say - the rest is history (with a lot of blood, sweat and tears involved)!
I am aware that a lot of people experience considerable barriers to entry. If this is the case - please do not give up. Please keep trying to find the place that fits you... and when you do find that place and start to make progress, please keep 'paying it forward'. This is a huge part of the Telspace Systems "mantra". As far as I am concerned - opening doors for others and giving back is a big part of the process. Security would not be the awesome industry that it is, if everyone kept their magic to themselves.
INTERNSHIP 1 TLDR:
- Get involved with the community, until you can get your foot in the door.
- Keep at it!
INTERNSHIP PART 2
I have been immensely lucky to receive training from world-class pen-testers, who I have the utmost respect for. The knowledge that is shared during an internship is priceless, and can vastly accelerate your learning experience.
It is however worth keeping in mind that (during an internship) all candidates are given the same information to learn, and opportunities for growth - but the rest is up to you! You have to spend time doing self study, because there is not a single pentester on earth who can hand-hold an intern/beginner the whole way through the process... and it would not make sense to either - learning HOW to google, and deal with unfamiliar situations is part of this job!
INTERNSHIP 2 TLDR:
- Learn a much as you can, and make the most of your opportunities.
- Keep at it!
During these 6 months, the Juniors get to shadow analysts on assessments, complete their studies, conduct research, attend events and learn more about the industry. At the end of the 6 month period, every Junior Analyst needs to demonstrate excellence in multiple aspects in order to receive a permanent position here at Telspace Systems.
This requires a lot of hard work and dedication - and comes back to what I said in the very beginning about passion for this as a career, not a nine-to-five 'job'. Your attitude has to be the former to make tangible progress.
As far as actual OSCP preparation goes: this my advice in a nutshell:
- Read through the PDF manual. OffSec are trying to teach you certain principles contained in that document - so do not toss it aside.
- Manage your time carefully, because you get to keep the PDF, but your lab-time is ticking.
- Choose the longest lab-time package as possible (or that you feel is suitable, depending on your skill level).
- Spend as much time practicing in the labs as you can.
- Exploit manually, rather than relying on Metasploit. You will thank me when it comes to exam time and to your actual assessments in real life!
- If your lab time runs out, consider extending it or signing up for a paid subscription like Hack the Box.
- Have you Googled it?
- Keep at it, if that isn't working then you need to Try Harder!
This is arduous, just because of the sheer length of the exam. So I recommend that you write this in a space where you feel comfortable, where you know you will have uninterrupted access to electricity and Wi-Fi (a real problem in South Africa unfortunately), have plenty of snacks, and finally - my mentor Dino Covotsos gave the great advice to take breaks and rest.
It can be easy to get fixated on a rabbit hole, and lose hours of time trying to get one thing to work. You will be amazed at the other possibilities that pop into your head during a short walk or nap!
There are people who do pass on their first attempt - I was not one of those people. If, like me, you fail an attempt at the OSCP (or any exam for that matter), being able to identify your weaknesses so that you can improve upon them means that you are still able to gain something from the experience.
However, failing was not something I was used to. It can be very discouraging and make you feel like you're not capable, smart enough, or meant for this industry; and it is admittedly difficult to keep those mind-monsters in check sometimes. Thankfully, some of the most talented people in the industry have openly admitted to feeling like they are failures, suffer from imposter syndrome and often feel demotivated.
It is absolutely normal to feel a bit rubbish after failing, but this is where your passion enters the equation again. Where you refuse to lose! Give yourself some time to accept failure, then pick yourself up and figure out your game-plan. All part of what we learnt during the internship process with Telspace Systems initially.
It is not possible to be good at everything, and it takes time and effort to learn any skill - thank you Dino Covotsos and Manuel Corregedor for encouraging me not to shy away from my weaknesses - keep learning and practicing.
- Failing sucks, but figure out where you need to improve.
- Keep at it!
The hours of work, the dedication, the proverbial 'blood, sweat and tears' - are well worth it.
- Passing is AWESOME, but never stop learning.
- Keep at it!
Thank you to every single person who has been part of my journey. To those who have taught me, to those who have underestimated me and said I did not deserve this (because you made me fight for it harder), but mostly to those who understand that to achieve great things takes immense hard work and lead by fantastic example.
Post by Amy Manià