By David Lenehan, Security Consultant at Nettitude

Leaving the forces and want a place in one of the largest growing fields in the IT industry? It’s very achievable providing you’re willing to put in the work and you’ll find you already have the hardest skills to teach.

Becoming a Security Consultant vs Becoming a Penetration Tester

Here at Nettitude, we don’t hire Ethical Hackers or Penetration Testers, we hire Security Consultants. The distinction is important. With the right training, most IT savvy people could become a Penetration Tester, but how do you go about explaining what you’ve found to a client? This is where the softer skills learned in the military are fully transferable to this growing industry. 

It doesn’t matter where you were in your career in the forces, as at every level of the rank hierarchy those who have served have had to delicately and tactfully tell someone senior to them that they are wrong; and why; and not be sorry for telling them. Similarly, a Security Consultant needs to perform a penetration test, write a detailed report on how it was performed and what was found, and then explain this to the client.

There are many skills that belong where you learned them – leave them in the Services! No one’s going to be that impressed with how good you were at drill or how many sit ups you did on your fitness test. The impressive soft skills you’ll have picked up over a career are the ones that are really difficult to teach; they’re highly desirable in the consulting market and not something everyone in the civilian job space has mastered.

I can almost guarantee you’ve mastered these consulting characteristics that will have you excelling in a firm like Nettitude: skills like the ability to perform under pressure, to work to deadlines, to temper your delivery to your audience, to explain technical concepts in an easy to understand manner, and to pick up on implied tasks and run with them. Which employer isn’t looking for someone like that?

Your soft skills are what will make you a success in the industry, so the next step is to get the knowledge. Certifications are great but it’s the knowledge that they prove that is valuable. If you’re thinking about taking a course, make sure it’s the best quality you can find. You can take a 1 day pre-exam crammer and get the certification you want, but if you don’t have the knowledge to back it up outside of the exam room you’ll be quickly found out during a technical interview.

My Step by Step Advice

Before I joined the Army, I was a Software Engineer at IBM. I then served for 8 years as an officer in the Royal Signals and was not once employed in a technical role. The closest I came to being technical was completing an ICT module for one week on my troop commanders course, and that was it. By the time I’d decided to leave I’d pretty much forgotten most of what I knew and needed to start again.

When preparing to leave, I made a spreadsheet (which officer doesn’t love a good spreadsheet!), but you could use MS Project or any other tool to plan your exit. I knew I wanted to leave but needed to figure out the timeline that would work best, and in the end I had an 18 month plan. If you’re hovering over the button on JPA, take the time to make sure you have a plan. If you’ve hit the button already I hope you either have a plan already, or you’re ready to make a plan today.

That one-year notice period comes up quicker than you’d think! Be careful with how you use your GRT leave, it’s easy to burn away and there are many advantages that come with your GRT over regular leave, accommodation and travel to name just two.

To get yourself to the level of knowledge required to become a good Security Consultant I recommend the following steps:

1. Learn (or re-learn in my case) the basics;
2. Practice some ethical hacking;
3. Take the OSCP exam (Offensive Security Certified Professional)

The Basics

The goal is to take the OSCP, more on that later, but before embarking on the OSCP there are two fundamental pre-requisite skills that you should aim to have in your arsenal.

1. Linux
2. Networking

Linux

The main attacking platform used by our Security Consultants is Kali Linux and secondly Windows. There’s no need to be a Linux pro and there are courses out there that you can do to get you up to the required standard such as CompTIA Linux+,which you can study for free at Cybrary. Also for free you can do Over the Wire War Games. With some internet searching, you can learn the fundamentals of what you need in order to get around in Linux with a focus on security. The site also has other free resources to get you going.

Computer Networks

You’ll need to understand how computer networks work. If you have an IT background or have completed Cisco qualifications during your service, then you’ll likely already be at the right level. If not, then the CCNA offered via the CTP is a good place to look, as is CompTIA Network+ which you can study for free here.

Practice Ethical Hacking

The next free resource I would recommend is hackthebox.eu. Signing up is part of the challenge and you should be able to use some of the skills you picked up on Over The Wire. If you’re still struggling then a working knowledge of JavaScript will help. I found that Code Academy was a good resource for learning, and others I know used Cybrary’s catalog of JavaScript courses.

Once you’ve signed up to hackthebox.eu you’ll have access to forums full of information and many hacking challenges to complete. Once you’ve earned the “Hacker” badge you’re well on your way and likely past the entry level standard for the OSCP course.

Here are some more guided resources that may be helpful depending on your level of experience.

1. Complete beginner:
   • Metasploit Unleashed
2. Good OSCP style VulnHub VMs to start with:
   • /dev/random scream, get to grips with meterpreter on Windows
   • Stapler 1, VM by g0tm1lk with multiple solutions
   • FristiLeaks 1.3, web to root with encoding challenges
   • Kioptrix 2014, web app and kernel exploitation
   • VulnOS 2, web to root with databases and password cracking
   • SickOs 1.2, fun with HTTP methods and cron jobs
   • Brainpan 1, tough VM which requires some reverse engineering  
   • HackLAB Vulnix, learn to prioritise enumeration and piece the puzzle together
3. Good resources to practice Web Application Hacking:
   • OWASP Top Ten Project, something you’ll need to get to grips with
   • OWASP WebGoat, maintained by OWASP and the best starting place
   • Damn Vulnerable Web App (DVWA), a very good and very vulnerable PHP/MySQL application
   • Buggy Web App, covers all OWASP Top 10s

Take the OSCP course and exam

The gold standard entry level qualification into this industry is the Offensive Security Certified Professional. It’s hard. It’s expensive. You may not pass the exam first time (I certainly didn’t) and a lot of people quit. To summarise the course, you buy a learning pack that is fully electronic (i.e. download only) and an appropriate amount of time in “The Labs”. The Lab environment is full of vulnerable computers for you to hack into. It teaches you to look further than the course materials and how to find and exploit vulnerabilities on your own. The exam for the course is 48 hours long, 24 hours of hacking and 24 hours to write a report. I first had two months of lab access and then attempted the exam for the first time; it was a humiliating defeat. I bought a lab extension for a further month then passed the exam the second time.

Most importantly, think about how you will frame each of your findings to a client – how will you help them understand the impact of your findings to their business operations?

Final Thoughts

I’m a big advocate of learning over qualifications, with certifications only being as good as the knowledge they represent. This is why I have steered clear of advising any resource you might need to pay for, other than OSCP.

Many service leavers also look at the Certified Ethical Hacker qualification offered by the EC-Council. Check for yourself on the volume of service leavers’ LinkedIn profiles which mention they are working towards this qualification. There is a certain logic in attempting the qualification too, as it has the words “Certified” and “Ethical Hacker” in it so surely it can’t be too far off the mark. Before booking the exam or any training, do a search on the internet for “ec council got hacked” or “ceh got hacked”. There is definite learning that can be achieved from doing the course and a CEH course book was actually the first place I started, but I put it down after a few chapters when it was clear it was an exam prep book and not building on knowledge that would help me do a job in the future.

The Certified Information Systems Security Professional (CISSP) is another qualification to consider. I studied for and took the qualification before embarking on the OSCP journey. There was very little transferable knowledge from CISSP that helped me with OSCP. What it does however do is set you up with the management knowledge for information security and prepare you for a role in information security management, which is a different branch of IT security.

It’s up to you whether you want to study for the qualification; it’s relatively cheap in comparison to other Cyber qualifications and teaches some good lingo that can help as a Security Consultant, but consider what learning you will get from the study given your available time and your final goal.

Work at Nettitude

The last thing to do is come and work at Nettitude. We have two schemes suitable for Service Leavers.

Firstly, we have the “Accelerator Scheme”, which works very much like a graduate scheme. It offers training in all the technical skills and consultancy skills you’re going to need to be successful, and the required knowledge at the start is an interest in cyber security along with a good beginner’s ability to hack into CTF style Virtual Machines. During the course, you’ll also be given time to complete the OSCP qualification if you don’t already have it. More info is available here.

Secondly, we have the “Launch Scheme”, which takes a higher entry standard of OSCP or CREST CRT equivalent. It teaches the same areas as the Accelerator Scheme but on a much more compressed timetable.

Both schemes recruit through our own CTF challenge which is a learning experience in itself. Check out the Nettitude Accelerator Scheme to get the ball rolling.

Good Luck and get in touch if you would like some informal advice. Better yet, join the TechVets Discord.