You've found about cybersecurity, it seems to be something you want to know more about. What do you do? Where do you start?
This guide will help you take your first steps (and a bit more) in cybersecurity.
Security Summer School (SSS) is a free online event targeted at students and hobbysts who aim to take their first steps in cybersecurity. SSS takes place during June-July of each year, online, on Discord. Application is in May of each year.
SSS traditionally featured the binary track, on binary application exploiting. Since 2020 (SSSv7) it also features a web track, on web-specific security topics. Since 2022 (SSSv9) it will also feature a security essentials track, for those who are at their very beginning in the computers and cybersecurity world.
SSS is the ideal place to kick-off your cybersecurity “career”. It features the most important concepts in cybersecurity and also the ingredient known to all cybersecurity enthusiasts: CTF (Capture the Flag) contests.
Find out more by joining the Discord community.
After getting some initial knowledge of cybersecurity topics, either by your own, or at university or at SSS or some other event, you want to go to the next step. The best way to do that is to solve cybersecurity challenges. These are scenarios that feature some sort of flaw that you have to discover and “exploit”.
The easiest way to do that is to do wargames. Wargames are collection of cybersecurity challenges listed on a website. Each challenge is usually providing you a remote setup or an executable / archive to solve / exploit. Challenges generally follow the capture the flag logic: solving the challenge gives you flag that marks you've successfully solved the challenge. In case of wargames, that usually also takes you to the next level (i.e. the next, more difficult challenge).
A complete set of wargame sites is listed under WeChall. WeChall itself has its own set of challenges. The nice thing at WeChall is it grades challenges and wargame sites by difficulty and fun, so that should give you an idea. Of course, if you're a novice you should start with the less difficult ones.
A good collection of security related resource (mostly wargames) is here. It's more than wargames, but has a nice mindmap picture that helps you categorize the resources.
A very good starting point is picoCTF, that's created specifically for beginners making their first steps in the cybersecurity world, in a practical manner.
A nice extensive collection of CTF challenges, classified by topics, are on CTFLearn. There's quite a bunch of them and you can spend quite a bit of time on.
We recommend that you continue with OverTheWire. OverTheWire provides multiple wargames, and you can do them from easy to difficult, in the order listed on the site: Bandit, apoi Leviathan, Natas, Krypton, Narnia etc.
Next you can move to other wargames and challenges. See what you like and what particular area of cybersecurity: reversing, binary exploiting, forensics, web, crypto. Ideally you would have a good balance of all areas, but aim to specialize in one.
One wargame we enjoy, not listed on WeChall, is IO Netgarage (previously IO Smash The Stack). It's a binary wargame that's getting you through a lot of the common exploiting patterns in nowadays software.
Also look at CyberEdu for collections of challenges to solve.
A more complex set of challenges figures an entire virtual machine that you have to exploit. The virtual machine usually has a realistic setup with a vulnerability (or more) that you have to discover. The virtual machine has to either be downloaded or it is accessible online.
These challenges are more difficult as they generally require you to go through all steps of a cybersecurity attack: reconnaissance, enumeration, exploiting, remote code execution, privilege escalation. This also makes them more realistic, so it's important you take a look on those.
TryHackMe is an excellent platform with both free and paid content and online virtual machines. It provides learning-centered “paths” in which you can discover or expand computer and cybersecurity related topics. All items are centered around remotely accessible virtual machines (via a VPN connection).
Another place to look into is VulnHub. VulnHub is a community repository of vulnerable virtual machines. Community members create and make available virtual machines on the VulnHub website. Virtual machines have to be downloaded and installed and exploited locally. As a community-centered repository, VulnHub has a large set of vulnerable boxes you can toy around with.
Hack the Box is the next place you want to look for vulnerable boxes. Hack the Boxes is a more business-oriented organization, with items also available based on a paid subscription and special offers for companies. Virtual machines are already deployed and you can access remotely via a VPN connection.
Once you get a good grasp of cybersecurity topics and solve your fair share of wargame challenge, it's time to be part of a competitive cybersecurity event: a CTF (Capture the Flag) contest.
A CTF contest is a time-bound event (usually between 8 to 48 hours) where teams of contestants solve challenges of the organizers. Typically a CTF follows a jeopardy model, with challenges split in different categories (suchs as binary, web, crypto) with points assigned for solving them. There are also attack-defense (or red-team / blue-team) CTFs where you have to attack and defend against other teams on pre-configured virtual machines provided by the organizers.
In CTFs you usually compete as part of a team. So it's important you have or make friends who share your passion for cybersecurity and be ready to jump in the next CTF that comes along.
For starters you can take part in more beginner-friendly CTFs, such as those organized locally. In Romania, you can be part of:
There is a professional world-level series of CTFs that you can also be part of. These figure prizes, on-site events and many more. Careful, though, this is where the big boys play. Expect more difficult challenges. And also don't expect to be on the top 10 from the first few (or more) tries.
Find a list of CFTs, past and incoming, and a team ladder on CTFTime. This is that one resource that collects major CTFs happening throughout the world.
It's very productive to learn from others. Fortunately, the cybersecurity community encourages people to do write-ups: descriptions of their solution to a challenge. You can look here for a collection of such write-ups from many CTFs throughout the years. This will give an overview of how other solve challenges and provide good (or alternative) ways for future challenges.
It's also highly recommended to write your own write-ups. This will both help you understand better what you just did and develop your writing and explaining skills.