Attempting to make a path

The importance of writing it down

The fastest way I could find to just get started in a semi-public place to write is on Github with Jekyll, so here we are. For the past year or so, I have found that I enjoy (and have something of an affinity for) basic information security. Really, I watched some ippsec and Derek Rook videos on youtube and followed along in my own Kali VM. I started following various personalities on twitter, and found myself spending more and more time on the site or in the app (time management is a topic for another day, I think) and slowly realized that ideally, my post-military-retirement career would be in the infosec field.

As I said, a year or so. That’s too long with no defined version of success. I have less than 5 years before I retire so I’m blessed with the ability to build toward whatever the end-state happens to be. For now, I’ll keep that end-state vague and just say that my ultimate goal is a career in the infosec field upon retirement. Maybe somewhere in this journey that will focus toward pen-testing, incident response, red team, etc.

Cool, a vague goal, now what? Well, that’s why I’m writing this. I’ve spent too long with dreams and the path to their achievement stuck floating around in my head. Do I keep watching youtube videos on hackthebox machines and following along? Do I dive into certifications? Really, who cares. I just need to do something, work toward something objective and measurable. That can be a root own on HTB per week (with or without walkthrough assistance, video or otherwise) or it can be movement toward a cert of some sort. Here’s where I write it down. All that said, this plan can change, but it needs to change from something. I need a plan so I have something to adjust. It needs to get out of my head on onto, well, a github blog.

The plan

Ok, I need consistency and measurable goals. Let’s just throw some shit out there that’s floating around in my head and then we’ll prioritize, categorize, and temporalize (woah, that’s actually a word, I just googled it).

  • HTB
  • General Reading (/r/netsec, twitter, darkreading, etc)
  • Certs
    • Sec+
    • SANS
    • eLearnSecurity
    • OffSec
  • Meetups / Cons

Ok. That last one is, I think, possibly the most important and easist to implement. Go. Marc - Go to conferences and meetups. I’m in DC for another 20 months or so. DC202 meets occasionally. Go. NOVA Hackers meets on the second Monday of every month. Go. This one is hard though, because NOVA Hackers has a presentation requirement. One can only be in the group if one actively contributes to the group. I need to do that. So, measurable goal: present at NOVA Hackers in December. I don’t know what I’ll present on, but that’s for later. More measurability: determine presentation topic by 20 Nov and have slides ready by 3 Dec. For Cons, I might be limited by my ability to F5. I already have BSides NOVA tickets, so I’ll go to that. If I can get shmoocon tickets, I’ll go to that to. Which presentation path I’ll take is probably worthy of another blog post, but for now… I’ll go.

General reading is a bit too nebulous, so we’ll leave it out of the realm of goals for now. HTB, though. Lets spend at least 2 hours on an non-retired HTB machine per week. That’s doable right? I think that will foster the creative and critical thinking that cert studying can’t really do, book cert studying anyway, while keeping up with familiarization of tools and techniques. I need to do things on my own a bit more. Thanks ippsec and r00k, but it’s time I at least lengthen the apron strings, if not cut them entirely.

Now, on to certs. I hear OSCP is sort of the gold standard, but it’s also hard and not accepted by the government for whatever information assurance standards they have. I don’t necessarily want a government job, but hey, it’s worth applying to the consideration calculous. That said, in the interest of attainability, I think it would be better to start with something cheaper and easier. I honestly believe that I can pass Sec+ with a book or two and consistent studying. I think that that is a good starting point for certs. I’ll have the self-debate later as to whether or not I should try “challenging” a SANS cert later (maybe GSEC or GCIH) to maximize my remaining G.I. Bill benefits. Then maybe I can finish off that G.I. Bill with a SANS graduate certificate. Again, something to consider later.

Daily/Weekly Goals - Routine Building

  • 30 minutes of cert studying per day (hey, it’s a start)
    • I’ll shoot for right after the kids go to bed
  • 2 hours of unguided HTB work per week
    • Likely a weekend task
  • Minimum once per week writing here
    • Document what works / doesn’t
    • “Workshop” presentation ideas or write through a problem
    • Goal status, goal changes

Long Term Goal

  • Sec+ by June 2019
    • Schedule the test in March 2019
  • GSEC by January 2020
  • I’m going to write it down, but it seems so far off - OSCP by January 2023

Let’s get started…

Written on November 5, 2018