Learning for Security Teams

Learning for Security Teams

Learning is an important aspect of life. This is more crucial for technical teams as tech is ever changing and teams need to keep learning to catch the pace of technological changes. Also learning soft skills is the key to becoming a leader.

My thoughts on this topic are based on the following quote:

Tell me and I forget. Teach me and I remember. Involve me and I learn

  • Benjamin Franklin

As per the learning standards, following 3E’s (10-20-70) plays an important role in career development:

  • Education
  • Exposure
  • Experience

Education (Training)

Training provides structural learning about a subject. This can be a classroom training, online, video based, blogs, twitter, etc.

Understand this as an online course like AWS security or OSCP. These courses sets expectations and have a structure from basic to advanced (depends on the course objective). At the end of the course, you will have a fair idea about the topic of the training and build a base for that topic. This contributes 10% of overall learning.

Exposure

This involves exposing yourself to the new horizons in Security domains & other relevant areas. For ex: attending security conferences will expose you to many new technical domains which are different than your daily work. Similarly attending presentation skills talks will give you room to learn about soft skills. This contributes 20% of overall learning.

Experience

By far, this is the main contributor in learning with 70% stake. Experience comes from executing hands-on tasks, learning from others, failing & learning from mistakes. This applicable to technical as well as other skills like leadership, people management, presentation skills, etc.

Learning in Security

As we set some bases for the learning theory, how is this applicable to security teams?

Career Goals

You need to identify your career goal which will help you build a learning plan. Information security is a collection of multiple domains & many job streams. You can choose to be a pentester, malware researcher, exploit writer, GCR officer, etc. Every opportunity has different requirements & requires different skill sets.

3E’s Example

Once you know what you want to become or what your career goal is, laying down the learning plan is very simple. Few years ago, I wrote a blogpost which explains the path to become a web application pentester and can be found here.

There are so many resources available these days on the Internet to learn any skills you want, paid as well as free. For example, OWASP testing guide give you basic training for web application pentesters. Following well known researchers on twitter and reading tech blogs updates you about new attacks & testing methodologies along with the tools of the tread.

When you attend security conferences, you get exposed to many new things out of web application security. Things like APT attacks, malwares, exploits, new attacks & mitigations exposes you to other domains. Connecting with various researchers & industry leaders is another aspect of attending conferences which opens up discussions & can lead to learn more. You can find a good mentor which can help build a training plan & can guide you when you are stuck.

Once you have basic training & exposure, you can start gaining experience by using the knowledge for on-job assignments, testing vulnerable VMs from VulnHub, participating in various CTFs and bounty hunting platforms. During the early days of my career, I did so many vulnerability assessments as part of my job, I used to identify services running just by looking at the open ports in scan results. This has helped me during OSCP a few years later.

Solving Security Problems

In a small security team, you will encounter endless problems and you end up doing all the things which fall under the InfoSec domain. Each problem is an opportunity to learn something new. Be it Cloud Security, security automation or incident response, it helps build a new skill. If you restrain yourself from solving problems other than your core expertise, you will be missing out on many learning opportunities. Stepping out of your comfort zone is the key here.

Scheduled Learning

Due to busy work life, it’s very hard to find time to learn new skills and it’s not always possible to learn everything as part of your job. Everyday schedule of 2-3 hrs for learning will help gradually build it as a habit.

Next thing is to plan the topics to be learnt. My suggestion will be to start with basics, then move to advanced with lots of hand-on exercises. For ex: If you plan to learn Cross-Site Scripting (XSS) attack, learn basics & various types from OWASP testing guide. Practice learned attacks on DVWA. Next start thinking about filters which will block few words and process to find out & bypass it. Better way would be to complete an XSS challenge like this one. Every level here will teach you something new.

You can follow the same process for other attacks.

Contextual Learning

Learning differs as per the job you intended to do. For a pentester, it is important to identify the bug and exploit it to showcase the impact. So the focus will be more on various ways to identify the vulnerable parameters & ways to exploit it with different conditions.

On the other hand, when you are a product security engineer, you need to learn how to detect this attack before production release, be it in code or during testing. You also need to work on mitigations which is enough to restrict this attack. Next comes the detection with application logs when someone finds & exploits it. So your learning plan will be focused more on these points.

So what do you think?

There are so many things to learn within a lifespan. Plan your career goal, have a daily routine & learn what is needed.

Remember:

Experiments enhance Experience. Failing is a new learning.