Home MITRE Tactic TA0003

MITRE Tactic TA0003

Persistence: A vital part of any attack

It’s been a a while since my last time posting. A lot has happened since then and I have been very busy. Since my last post, I found an interesting job posting with a company that I had been following since I first moved home. They had originally came on my radar when I saw a posting for a Sr. Penetration Tester. I researched the company and applied for it, but almost immediately received a rejection. I was very under qualified, but as the saying goes, shooters shoot.

Although I was turned down, I followed the company and learned more about it, and was very impressed with them. I admired the leadership of the company and could see myself working and growing as a professional with them, but unfortunately there wasn’t an opening that fit my qualifications. I added them to a list of companies that I keep and kept checking their linkedin and company page for any openings. As time went on, I began to believe that I needed more time in my help desk role to grow my IT experience as well as work towards getting my OSCP. I was happy in my current role, and was being given amazing opportunities to do security work even though I was just a Help Desk Tech. To be honest I kind of shut down my job hunt for the time, and had put my journey into InfoSec on a sabatical.

Then one weekend, I was perusing reddit when I saw a role for an Offensive Security Consultant in the r/infosecjobs subreddit come across my feed. I clicked on it out of curiousity, and saw it was for a role in my city. That really piqued my interest. When I clicked on the link in the post, it brought me to a linkedin posting for the company I was originally interested in. I figured, “What the Hell, might as well apply again.” I filled out the linkedin job app, and sent a DM to the poster of the job that I had applied along with a link to my linkedin page and my website. The next day, the hiring manager reached out and we scheduled an interview.

I was through the roof excited, but I did temper my expectations. I had read and been told, that Cyber Security was not an entry level role in IT and that I would need to cut my teeth for years doing IT work before breaking in, and even further down the road, the door would open for an offensive role.

During the first interview, I felt like I hit it off wth the hiring manager, and the Offensive Security Director. I felt as though I had answered their questions pretty well, but most importantly, I could really see myself working with them and learning from them, and the more I learned about the role and the company, the more I wanted this job. The interview ended, and they said they would be in touch with the next steps, in the next week or so. I really wanted this role, but didn’t want to get my hopes up too high. I was confident that I had done well in the interview, but I had the nagging thought in my head, that I was probably not the most qualified candidate.

Later that day, I received an email from the hiring manager that they wanted me to sit down with the VP that oversaw offensive operations, and I started to believe that maybe this could be a great sign. I immediately responded and booked the soonest interview time I could with them. I prepared all weekend for the interview, going over all my notes on questions that I might hear, and coming up with questions that I had for them as well. The time came for the interview, and I was nervous as hell, I didn’t want to blow my shot, like I felt like I had before on other roles. We started the interview and it was going well. At the en he asked me what I thought of the role and the company, and I answered with an answer I wasn’t sure of at the time.

I was open and honest and laid all my cards on the table. I said that to be completely honest this was a dream role for me at a company I admired and been following since the beginning of my process into Cyber Security. I didn’t know if this would come off as desperate, but I wanted to make how I felt about the role and the team clear. I left the interview feeling that I had given my best effort, and felt like I had left a good impression. The next day the hiring manager called and let me know that they wanted to bring me on, and I was ecstatic. I finally felt as though the risk I took, and all my hard work was starting to pay off.

I am very happy to say I am now a Security Consultant with Layer 8 Security. I am so thankful for them giving me the opportunity to pursue my dream role in a great company. I started last week, and everyone has been so welcoming. I can’t wait to see how I grow as a professional and contribute to the successes of the company!

Lessons learned

Looking at my experience, on breaking into Cyber Security, I have learned a lot of lessons, that I feel apply directly to what I am now doing, as well as trying to break into the industry. I am certainly not an expert, but this is my experience of how I got to where I am.

Everyone is different. Our experiences are unqiue, and our paths are different. A lot of resouces out there try and map out a path into the cyber security role that you want. These are extremely valuable, but I feel they should be used as a guideline, rather than used as a literal map to get where you want. In my experience, I had seen that I needed to do years in Help Desk and SysAdmin, and then more years in a SOC before I could be considered for an Offensive role. Had I listened to these, I wouldn’t have believed I was ready for the role I am in now. Basicaly what I am trying to say is to believe in yourself, set your goals, and follow your own path to achieve them. Don’t listen to the people saying you aren’t ready, or you need something X and Y before you get to Z. If you feel you are ready, and have demonstrated your skills, shoot your shot and go for the role you want.

Something else I believe in and believe played a large role in getting my position, is that you need to be working. Dont sit there and just keep applying for the security job you want. You need to go out and get a role that is adjacent to security, preferrably help desk or SysAdmin work. I knew I didnt want to sit around and apply for jobs all day, so I went and found a role at a small MSP. This role was amazing for my journey. I was able to get hands-on experience with System Admin, Network Admin, and even security work from the start. As I have mentioned in a previous post, we are in a talent shortage, and not just in the security industry. There are small MSPs across the country that are looking for people to work with them. Working at a small MSP will allow you to make the role how you want and take on things like security. This can help them with talent, and it can help you get the experience needed to make a move into Security.

Again these are just my thoughts based on my experiences. We all have our own journeys, dont take my process as the key to success, but instead use it to get ideas to succeed on your journey.

Plans for my blog going forward

Now that my initial goal has been reached of breaking into cyber security, I plan on making some changes within my blog. I have bigger goals (OSCP, Technical things, etc) and I want to document these more often. I think in early Feb I will make a post with a better outline, but I am going to try and make my blog a little bit more technical. Any way thanks as always for reading!

This post is licensed under CC BY 4.0 by the author.