I recently decided to pen this blog post because, upon looking back, I realize that my career path so far has been conventional in some ways and unconventional in others. I wanted to share my story and how I got to where I am today to offer others an idea of one of many possible paths into this field. I emphasize "one of many" because there is no "one size fits all" way of reaching your career goals in cybersecurity and ethical hacking, but hopefully I can offer you some takeaways that may make your path a little easier or clearer.
With that, here goes!
Note: If you want to skip the story and hop right to the advice, click here.
The Boots: A Fast and Furious Stint in the Military
In May 2017, I finished my degree in Mathematics, joined the United States Air Force via ROTC, and was given my career field of choice which is now known as Cyber Effects Operations. Less than two weeks after graduation, I found myself at Keesler AFB, MS ready to undergo 7 months of career field training to become fundamentally acquainted with military communications, cybersecurity basics, and offensive and defensive cyber effects operations.
Like with many military schools, the way you ranked amongst your peers determined where you wound up and what you did as a follow-on assignment. It was imperative to me that I wind up at a unit that I believed would have a "tip of the spear" impact when it came to facing the adversary behind a keyboard, so I explicitly set aside time to study and review my course material in order to perform well in class. I was fortunate that my hard work paid off and I was shortly sent to a cyber protection team focused on threat hunting against the adversary.
Shortly after my arrival, we were coming up on the 2018 midterm elections. My unit was identified as the defensive arm of a campaign to counter influence in the election process; later that fall I found myself in Eastern Europe with teammates hunting on networks for adversary activity. I can't speak for the others on my team, as everyone has their own perspective of shared experiences, but this short time in my career was a personal crucible. I felt as though I was in contested territory and "the belly of the beast," facing continued high-stress, but anxious and determined to drive positive results and make my team, leadership, and country proud. We had a successful engagement and I felt immense pride in the folks I worked with to achieve that task. Those weeks spent on the keyboard and simultaneously leading a team of technologically-adept folks gave me a taste of what it meant to be simultaneously tactical and technical and knew I wanted to stay that way for a very long time.
Very few options exist for military officers who want to remain in a "tactical and technical" role for the long term, and due to certain challenges those options were not available to me. That was therefore one of the many reasons why I determined it was time to conclude my military career after a fast and furious 4 years and move on to a different sector that would meet my needs.
Proactive to Reactive: Government Threat Hunting to Commercial Incident Response
At the conclusion of my time in the military, I utilized a benefit called "SkillBridge." Essentially, this allows you to be an "intern" at a company that has a partnership with the military while still on the government's payroll. The opportunity then exists for you to interview for the role you interned in, and if things don't pan out, you at least already have some non-military experience under your belt that you can leverage in your job hunt elsewhere.
While on active duty, I was very familiar with CrowdStrike. I knew they produced high-quality deliverables that detailed threat actor TTPs and were considered to be at the forefront of the cyber frontlines from the commercial perspective. A former military peer pointed me to the recruiter for Falcon Complete, CrowdStrike's managed detection and response service, and after discussions, assessments, and interviews, I was able to land a SkillBridge opportunity with them. I was later offered the opportunity to join the team.
Working in an incident response role gave me a whole new lens through which to see cybersecurity. Incident response is more of a "reactive" approach, whereas threat hunting is a "proactive" approach to deter and expel the adversary prior to damage being done. Incident response requires triage and remediation actions, and in a commercial sense also involves customer-facing interactions where you communicate the threat, the risk, and the remediation that took place. Here I was not only able to grow my technical skillset (now more focused on threat remediation as opposed to intrusion identification), but I was also able to expand on my customer service skills and my ability to communicate technical findings effectively and understandably.
After roughly 18 months in the analyst role, I wanted to seek a challenge in an area of cybersecurity that I hadn't faced before. At this point i had spent close to 6 years performing defensive engagements and what is also known as "blue teaming," and wanted to branch out into an arena that both intimidated me and intrigued me. Enter red teaming.
Adversary Expulsion to Network Ingress: Transitioning from Defensive to Offensive Operations
In the summer of 2022, I sought out cost-effective ways to become better-versed in ethical hacking, active directory attacks, and other marketable skills relevant to an offensive cyber operations role. I stumbled upon Altered Security's Attacking and Defending Active Directory bootcamp and enrolled. I spent four Sundays in 3 hour sessions immersing myself in understanding Active Directory and attack paths that could be used to laterally move and escalate privileges within an environment. After this exposure, I fell in love with the concept of being able to identify misconfigurations, see how far an adversary could go with abusing them, and then educating folks on how to remediate weaknesses.
This experience, coupled with throwing myself into HacktheBox Academy and labs, TryHackMe, and TCM gave me a foundation in ethical hacking.
Timing could not have been more on my side. Roles were posted looking for Red Teamers at CrowdStrike, and I applied as an internal candidate. I underwent the interview process and was offered a role as a consultant on the team. Today, I have been in this role for 8 months and can't picture myself doing anything else. I love the chances I get to continue to grow, both from my own hands-on keyboard engagements and from my talented peers, as well as through my own personal continued pursuits of education.
Alright, enough story time: what are the takeaways and tips?
I'm going to start this section the same way I started this post: there is no one way to get here. The folks I work with came from all different types of backgrounds and experiences, and honestly that's what makes our team great. With that being said, below are some takeaways and tips I think are important from my journey and 7+ years in the field:
Always Strive to Learn
All of the roles I occupied definitely had this in common: if you aren't constantly striving to learn, you will fall behind. In threat hunting, it's understanding the TTPs the adversary is using in order to properly identify suspicious activity. In incident response, it's understanding the key indicators and artifacts associated with a piece of malware in order to remediate it exhaustively. In red teaming, it's understanding new vulnerabilities, exploits, misconfigurations, and opportunities to achieve objectives in an engagement. With all of these there is evolution, and if you don't grow and evolve with them you will miss out and fall behind on being lethal and competitive in the cyber battlefield.
You Don't Need to Spend A Million Dollars to Learn
Did I use paid training on my journey to the present? Yes. Did I break the bank in relation to what I could fiscally tolerate? No. Unfortunately, there are a lot of cyber education opportunities out there that simply are not within the pecuniary reach of the average middle-class income bracket; however, low-cost and free opportunities do exist. I will link several of them at the end of this post to make sure you are aware of them. Leverage those. YouTube is also your friend.
Network
I cannot emphasize this one enough. Although I joke that I find myself in one of the most introverted and stereotypically "anti-social" careers, networking was definitely a springboard on my journey. If my former colleague hadn't done the introduction between the recruiter and I, maybe I wouldn't be where I am today. Branch out, go to conferences you can afford. Typically BSides charges a low fee and presents you with many opportunities to network with like-minded folks. Make a LinkedIn and advertise yourself. On that note...
Build Your Own Brand
What do you want to be known for? How do you want to be perceived? How does that overlap with your goals and passions? The middle of that Venn diagram will be a great guide on how you want to brand yourself. Create a blog documenting your journey and educating your peers in the field, build out your LinkedIn and post regularly, publish code to GitHub, make yourself known. If something intrigues you, don't be afraid to go after it. Follow your passions because you will inevitably bloom in those areas. Think about it: let's say you pursue an endeavor because "learning those skills make a lot of money" and not because of anything else. Do you think you'll feel compelled to spend an evening researching a related topic and writing about it? This process shouldn't be excruciating. Pursue something you love, and it won't be such an onus to build upon it.
If You're Eligible and Willing, The Military Can Be a Trampoline
This section is not a recruitment pitch by ANY means, but I would be naïve and mistaken if I didn't recognize that the skills and opportunities I had in the military propelled me in my career beginnings. The skills I gained, both technical and interpersonal, postured me for success upon departure. If it's something that interests you, fits your life goals, and actively captures your interest, consider it; please don't do it "just for the benefits" or "just to get a high paying job afterward." The military is a serious commitment, involves involuntary time away from loved ones and possibly into precarious situations, and is not something you can simply quit from when you've had enough.
Have Fun
I think you'll have a much better and easier time if you truly enjoy this kind of stuff. Have fun with it, go after learning opportunities because you genuinely find them interesting.
Pursuing your passions and having fun along the way is one of the ways to reduce the chances of burnout.
Stave Off Burnout
Burnout is a very real threat in cybersecurity. The reports from the frontlines are there to prove it and discuss it. This journey is very much a marathon and not a sprint; consistency is key. If you're absolutely demolished after a work day and truly have no mental or emotional stamina to even look at a computer screen, take care of yourself and look after your needs while scheduling study/research time for another evening. To be the best threat hunter/incident responder/red teamer, you first need to be the best you at a fundamental level. If your basic needs of sleeping, eating, and respite aren't being met, look after those first, the chance to learn will always be there.
Resources
Military Transition Resources
SkillBridge (Career Assistance, Internship Opportunities)
Military OneSource (Mental Health, Family, Transition Guidance)
Onward to Opportunity (Free career training for civilian job opportunities)
Veterati (Veteran mentorship platform)
VetSec (Mentorship and support in pursuing cybersecurity job opportunities)
Low-Cost or Free Learning Resources
TCM Practical Ethical Hacking ($29.99/self-paced course)
TCM OSINT Fundamentals ($29.99/self-paced course)
TCM Practical Malware Analysis & Triage ($29.99/self-paced course)
TCM Academy All-Access Pass ($29.99/month for access to all of their courses)
HacktheBox Labs (Free up to a point; less than ~$20/month for VIP access)
HacktheBox Academy (Some modules are free, others you pay by the "cube")
TryHackMe (Free up to a point; as low as $10.50/month with annual subscription)
Professor Messer (Free YouTube videos for CompTIA exams)
PortSwigger Web Security Academy (Free web security training)
Learn AWS Pentesting with Tyler Ramsbey (Free YouTube videos on cloud pentesting)
Additional Paid Learning Resources
Altered Security (Bootcamps focused on Active Directory and Azure)
ZeroPointSecurity (Courses range from free to 400 British pounds)
Comments