EDIT: Thank you guys so much! This was tons of fun, great questions from everybody. We might create a recap of some of the questions and answers on our blog in the near future, we'll keep you updated!

EDIT2: I see a lot of people still have questions, keep them coming, we will try to come back to this thread and answer everything we can (probably after the weekend).

Hi, I'm Amit Serper, principal security researcher at Cybereason, here as well are the team of security researchers and incident response professionals who work with me.

We've done low level operating system research, reverse engineering, vulnerability research and exploitation. We’ve also impersonated a plane, cloned building badges, broke into networks, found new malware, won hacking competitions, and cut bad guys off at the proverbial knees.

  • Work experience varies from 1 year to 25 years in InfoSec
  • Some have a GED, some have multiple Masters degrees
  • Some came from IT, SysAd, Programming, Investigations, or Radio Equipment
  • Most of us are self-taught and transitioned from other fields (some not even tech)
  • All of us have a passion project or white whale that led us into the field

As we’re all aware, the demand for good people in this field is slowly outpacing the supply. Hoping this would be helpful and productive.

We’ll be answering questions from 3:30pm to 530pm EDT. Typing for us is our company Reddit lurker, Eliad.

We'll also be using these users to answer questions:

  • 0xAmit
  • wizardclass_h4kr
  • CyberSoHard
  • cyber0x4c4244
  • Psyche2119
  • ElorionX
  • chartreuseninetails
  • MorriganGirl

Proof: https://twitter.com/cybereason/status/870361827661803521

Ask us anything!

Comments: 158 • Responses: 10  • Date: 

OrNevo14 karma

Hey. Thanks for doing this AMA, it’s very helpful :). I have a couple of questions:

  1. What subject would you recommend for a beginner? Assuming he knows the underlying tech (e.g. android development concepts for android security, C for memory corruption, JS and Node for web), what subject is the most beginner friendly, yet applicable these days? For example, I believe kernel security is not a field to which it’s easy to start.

  2. Is hacking harder these days to get into than before? Since tech and security awareness has increased, is it harder for newcomers to start?

  3. How could you practice when you started? How can one practice before he is proficient enough to be hired as a security expert? I’m not talking only about old, well known vulnerabilities, that can be practiced in wargames, but the practice of finding real, modern and relevant ones.

  4. Do you feel that the security community has changed? If so, how?

  5. What are some communities that you’ll recommend for learning, progressing and consulting?

Again, thank you!

icykid2983 karma

1)What path would you recommend for someone who wants to pursue a career in something Cyber security/Ethical Hacking related.

2)For someone with zero experience,and wants to get their foot into the field(Something related to Information Security) what certificates would you recommend for a beginner?

Eliad-Cybereason5 karma

1) Watch CSI Cyber - kidding. Read...read...read. Stay current and know and understand the basics. Build on a strong foundation of understanding OS internals; learn how to code in C than go to Python, but understand it and not superficially. If you are a student and are preparing for university, look for a credible Cyber Security program, but also put the time in and explore on your own.

2) Certifications are not for everyone and some may not find them to be credible, practical, or relevant; however, there are a few that are strong and those are the certs that test your practical understanding of the subject matter, such as the OSCP or some of the SANS training offered for our field.

n2ishin7 karma

You've mentioned several times that you suggest practical, hands-on stuff rather than certifications. Like some of the other users posting here, I'm currently:

  • Studying for my Security+ Certification
  • Actively playing wargames and CTF
  • Going to security conferences
  • Playing with Kali on vulnerable virtual machines
  • Learning C, Assembly and Python
  • (Trying) to contribute to open source
  • Looking for internships
  • Creating virtual machine networks and hardening them

Can you help me add more to the list? I'm studying and reading all the time and doing the things above, but I'd like find more ways to gain practical experience. What's the next step?

Eliad-Cybereason2 karma

We actually don't have much to add to that, because that list is pretty comprehensive! Just make sure you follow through!

QuirkySpiceBush5 karma

Many hacking/netsec subReddits seem to recommend breaking into infosec by becoming a pentester. My impression is that this specialty represents a rather small (though undoubtedly sexy) slice of infosec employment. Do you agree?

What infosec specializations seem to be currently in demand relative to the number of qualified job-seekers?

Eliad-Cybereason5 karma

J: I joined a security team by being interested in security. I was on a devops team and anytime I saw something that appeared to be a security concern I brought it up with our security team. I then later joined the team when they had an opening. So, depending on the company, one way you can break into the field is by being interested in security and working closely with the team. What sort of security role you move into will depend on your skills.

Eliad-Cybereason9 karma

B: Offensive Security is undoubtedly one of the 'sexiest' fields in security. It is incredibly important, but mind that a company is more likely to hire a Blue Teamer (defensive security) than a Red Teamer (offensive security), and as there are more MegaCorps than consulting firms that's something to be aware of.

Specializations in Demand: Honestly, the whole fucking thing's in demand. Blue-Teamers that can double as sysadmins/IT professionals are going to have the best shot, but they're also going to have the shittiest time - they'll have to pull double duty, but they'll also have twice as many people clamoring for their skills. Plus, as you noted, everybody wants to Red Team (to be fair, there's nothing quite like the rush of popping a box) and nobody wants to work on firewall management and outbound filtering and asset inventory. The trick is to look at it from your potential employer's perspective: they want someone who can provide value and not just somebody who 'does the fun stuff.'

DarkAlman5 karma

What are the 3 most common security best-practice fails you see on a regular basis?

Eliad-Cybereason2 karma

Most common fails: Configuration management - lack of automation - lack of understanding of your assets (inventory) and how critical they are to your business.

AMillionMonkeys1 karma

What's the deal with those "cyber security" degree/certification programs? How many people that come out of them are actually qualified?

Eliad-Cybereason4 karma

B: I came out of one of those. Guy I graduated with didn't know what netcat was. Other classmates work at google, facebook, have started their own business.

You get out of it what you put in.

J: It depends on where you go, how much love and effort you put into it. Look at National Centers of Academic Excellence in Cyber Defense https://www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense/

Flex-Ible1 karma

Hey thank you for doing this AMA. first year computer science student here.

You mentioned all of you have had a passion project/white whale. Who of you would you says has the most interesting/weird one? What was it exactly?

Eliad-Cybereason2 karma

W: I got my start uncapping cable modems, and decoding free to air television. Everyone has a little miscreant in them.

Xenon18251 karma

So, I've been wanting to get into learning a language, and I don't know which one to pick. Do you guys know which one I should? (I mean programming language, in case any of you feel like getting smart)

Eliad-Cybereason2 karma

Start with C, take it from there!

Goreka1 karma

"and cut bad guys off at the proverbial knees. "

Can you elaborate on this?

Eliad-Cybereason2 karma

W: One of the most satisfying feelings in incident response is watching the bad guy moving from machine to machine looking for treasure, and once you understand their objective and methods, killing their connection and giving them a bad day.