Building a Cyber Portfolio with TryHackMe
How to build skills for cyber without all the cost - video and full transcript!
Videos + Full Transcripts?
In testing out some new editing and AI transcription processes, I’ve discovered an easier way to make a video and produce a quality transcript at the same time! Now people that don’t want to watch the videos can still read what they are about without suffering through my dull voice =)
In this video we will cover an article about a journey through TryHackMe learning paths, with insights as a cyber professional and hiring manager on how to build a portfolio out of the learning paths and map them to certifications.
Enjoy! (Full transcript right below the video!)
Intro
Chris: We're going to be talking through an article today on Try Hack Me and Learning Paths. I get a lot of questions on Twitter about people trying to break into cyber, and I keep seeing articles pop up on Try Hack Me. Name of the article is Cybersec, Noob to Novice in 400. Which is important because I see a lot of people that wanna figure out how to start
Adversarial Mindset
Automated: TryHackMe as an online educational service designed to teach beginner, intermediate, and advanced users how to think differently about the computers and services in front of them.
Chris: I call that an adversarial mindset. Having an adversarial mindset is like being able to think differently about concepts. Because you have either, learned how to attack them and you can think differently, or you have seen the attacks and you know what to expect. Thinking like an adversary can be turned and used for both, offensive red team pen testing or defensive things like SOC or threat hunting
Automated: tryHackMe Every room slash Challenges within a restricted environment where concepts can be discussed at length without damaging real people and property a room might have a database that stores information with a vulnerability that will give up that information in an unintended way, But this stored information is completely useless outside of the room. Make services more secure by teaching mitigation strategies to prevent these hacks when they can cause real problems for people.
Most times the information contains flags, which are used to answer questions. The purpose of showcasing these hacks are simply to bring awareness to how difficult it is to make a service do everything secure.
Starting Out in Cyber
Chris: CTFs and labs in general a person's gonna learn on TryHackMe me are pretty much only relevant for that specific lab machine or that device.
It's to learn the general concepts behind an attack or how to defend it against it
So as people are getting started out in cyber and they're trying to figure out which path do they want go offense, defense, do they wanna go reactive, proactive attack or recover?
Mitigation strategies are important and it's good to learn both sides of offensive and defensive for cyber security, right? In order to defend an attack to the best of your ability, it's also good to learn how to conduct the attack too.
As you're just starting out, really just learn a little bit about each thing because you need to decide which path you find value in because cyber security is a very stressful job. And if you don't like what you do, then it's gonna be even more stressful. So if you're gonna be stressed, you might as well like what you do.
Landing that First Job
Chris: A person needs to specialize quickly as they're starting their cyber security career because you wanna be really valued at one particular skill because that's gonna give you an opportunity to get on a team.
Like an analyst position to maybe something a little bit higher up with more responsibility.
Pick a specialty and start getting great at it. You probably could have done this six months ago. Experience all sorts of different cyber security learning. That's great. Now it's time to pick a specialty and get really good at that
Maybe that would help with their burnout, right? They're not trying to learn everything. They're just trying to get really good at one specific.
Once you get your first break and you get into a team for the first time, then you can start to spread out a little bit more. But for those, looking for that first, foot in the door, I do recommend specializing heavily and sticking to that. You're not trying to get every job, you're just trying to get.
One job
Automated: I'll give some advice in hopes that it helps you consider how to best manage your time learning on the site.
I plan on dedicating days to TryHackMe with a topic of focus in mind. For example, I might spend a day learning all about different SQL injection methods, or maybe even make some rooms on the site to show off some topics that haven't been discussed much on the site.
These will be topics based on what I find interesting rather than whatever is the easiest question to answer, to maintain the streak on my busy.
Learning Tempo
Chris: This is good. The more passion a person has a healthy passion, the more that they're going to want to dig into learning something. And they're motivated and they see it as an opportunity and not as a waste of their time. They're gonna learn even more.
They will discover whether they want to execute SQL injections or they want to defend against and prevent SQL injections. That will help them quickly, over time, figure out which path they want to go to. And then within that they can figure out how to do even more that will help them truly land, a job.
Automated: here are some of my favorite broad topics. Web security, cyber security, tool literacy, metasploit Burp Suite, Hydra GoBuster et cetera. Network security, recent cve, demonstration mitigation and discussion. Fishing emails OS specific security, Linux and Windows.
Active Directory
Important Tools to Learn on TryHackMe
Chris: Looks like there's good topics here on Try Hack Me web security and pen testing. Tool expertise. I call that trade craft or tool trade craft. Network security, is good if you're gonna be a defender. Or you need a debug why your attacks aren't working.
CVE demos, mitigations and discussions can be good, although it's not gonna be real time. People have to make these courses. But it's good to get understanding because it's essentially a case study. Fishing prob, hopefully how to do 'em. Os specific security. It's always good to have at least some mastery of the major operating systems like Linux and Windows.
Active directory is gonna be important, especially as more and more companies move to cloud focused Azure active Directory, and it's just easier to integrate even for those mixed operating system environments.
Automated: Try Hack Me has over 500 publicly available rooms at the time of writing this, all teaching a wide variety of topics. Some rooms are for subscribers only so that it's something to keep in mind. With this being said, TryHackMe has plenty of free material to allow you to consider subscribing before you pay 10 US dollars.
They also have pathways which include rooms focused on specific topic.
Why a Portfolio is Important
Chris: I've been recommending a lot of these pathways to people. From what I've seen from TryHackMe, it is free. Most of it's free but the subscription price is so pretty low. 10 USD a month.
And it's good to build your portfolio too. It's something that as people are trying to get into different jobs or up skill or whatever, it'll build a portfolio cuz you can point to something and say, Hey, I may not have. So much real world experience, but I do have all these certifications and all this training I've went through.
So if you hire me, you're not starting at zero.
Automated: On the day that I'm writing this, I am making a choice to purposely end my 400 day streak. The long story short is that I felt that I was no longer engaging deeply with the content. What started as a pure passion to learn quickly became a daily mindless routine. Sometimes I would do more, sometimes I would just barely reach that one question.
Answering questions was now the first priority, pushing learning to second place.
Chris: ,
Recovering from (Cyber) Burnout
Chris: I think is a pretty good symptom of burnout. Moderation and all things, It's a good stoic philosophy and 400 day streak is great. But if the author is no longer seeing opportunities to grow every single day, it would be better that they take a step back to recover.
Because sometimes the hardest thing to do is not to do anything at all, but it's what our brain needs. So it sounds like the author's taking a step back. I agree on that. And ensure that there's no permanent damage to their passion for cyber security or whatever path they were going on.
And as a person's first learning any new skill, it's important that they, that first couple, few months you're gonna be important. You will. Typically spend most of your energy bursting right away, and then it'll slow down later on. So if you're able to maintain that motivation with, gamification and streaks and achievements, then it's gonna make, you're probably gonna stick around even longer.
Now while the author is, lamenting the fact that they were addicted to the gamification. They still have learned things. There obviously were some, the way that they feel diminishing returns on the learning. But at no point do I personally think that if somebody spends 365 days every day learning something, especially like cyber security, if they look at where they are on day 365 as opposed to where they started on day one, it's gonna be a staggering increase.
It's gonna be a huge difference. I don't think that their time was wasted. Could it have been spent more efficiently and or better? Yeah. Do I think it's wasted? No.
More than that they've also gained a lot of experience and knowledge about cybersecurity that, that stuff.
It may not be as cutting edge as the days go on and, two years from now. But a lot of those foundational things, they really don't go away. And if they do become, those skills do become a little bit outdated. It's very easy just to put something right on top of them and bring 'em right up to speed so they don't really go away.
They're always useful. So I don't think the author wasted their time
Mapping Knowledge to Certifications
Chris: the type of knowledge that we're gaining from a place like TryHackMe, all the visibility you get from building a portfolio, may not even need this certification. If a person's really crafty, they can take all of the learning that they have done and they can map it to a certification, and then on their resume or cv, they could say, have completed all requirements needed for this certification
and then it would be even fine during an interview to say, I've completed all those requirements. I have the knowledge for it, but I don't have the financial wellbeing to take the certification. I've done my research, I have the experience, I have a portfolio. Check me out.
I have the knowledge of the cert. And personally I think that would go a long way. Portfolio is important. Certification not so much.
Christopher: I want learning to be my first priority.
Tips for Breaking into Cyber
Chris: I think the biggest thing that I wanna take away from the article is just they stuck with it, right? They learned things. They knew when it was time to stop and it was time to move on to something else. And now they already have a plan on how they're gonna move forward even past that That's great.
More people need to have a plan and these free resources are great. So things that I would really want to hammer home on this type of content, this video would be TryHackMe is. Great. It's free. It'll give you a portfolio if you stick with it, map that portfolio and those learnings to certifications if you can't afford them.
And use that portfolio on your resume to say yes, even though. To say, Yes, I have met all their requirements for these certifications, and I'm happy to take that certification if, the company wants to gimme financial assistance so I can validate everything. But typically, as from my perspective of being in the field for a long time, that portfolio is more important than certification.
Portfolio is something that the person has built. It tells me what kind of person they are, what their interests are, and how motivated they are. Both as a person and as somebody trying to break into the field. Certification just means that you studied a lot. Unless you started getting into the other certifications, like offensive security certifications, then not only do you have to study a lot, but you also have to prove that those things.
If this video is interesting to you or you like it, whatever, definitely give a thumbs up and subscribe and we will get more philosophy and hacking and everything in between out the door as quickly as I can.
So thanks.