Tracy Mosley is a reverse engineer and CNO developer at Fortego. She also serves as the company’s Training Coordinator where she attends and reviews top tech conferences across the globe throughout the year.
A lot of people have mixed perceptions about the term “hacking.” This isn’t the 90s anymore, so while some people still think of the black-gloves and tinkering image, nowadays more people imagine data breaches, ruined credit and stolen identities. Universities may offer a security focus or courses, but for the most part, folks leaving degree programs only have core CS/CE/IT knowledge. This list should help people go from general developer to Security focused. The resources below apply to the general Hacking/Exploitation realm.
1. Video Games
As anyone with kids knows, learning is easiest when it’s fun.
- Zachtronics: These games are fantastic for learning and having fun. Several options help apply hacking skills such as TIS-100, Shenzhen I/O, and ExaPunks.
- Embedded Security CTF: If you have an interest in embedded devices, working through Microcorruption is recommended. This game focuses on embedded systems vuln hunting and exploitation. It emulates an MSP430 microcontroller in the form of an electronic lock. At each level, which progresses in difficulty, you reverse the firmware, and find a way to gain execution to open a lock.
- CTFs and Wargaming: These ‘games’ aren’t quite the same level of true game as the ones above, but if you want hands on experience playing around, here are some more resources for those. Still more fun than reading a book! Check out Pwnable, WarGames and OverTheWire: Wargames.
2. Books
Look, I know. Books are not the easiest way to learn, but these are really well respected. They will definitely help you make the leap from general knowledge to security specific. Even if you don’t read every word in the beginning, these are fantastic reference books.
- Hacking: The Art of Exploitation: One of the best books on the topics. Well regarded in the community andi great for folks familiar with programming, but maybe not the world of exploitation.
- Practical Malware Analysis: This is on the list solely for the amount of times it’s been well reviewed by peers and industry leaders. If you’re interested in Malware or other RE fundamentals, definitely give this book a read.
- The Shellcoders Handbook: Discovering and Exploiting Security Holes: This book is much more in depth than some of the others. There are actual examples and while it can be dense, extremely valuable.
I was about to post A Bug Hunters Diary when I realized that No Starch Press has a Security section which pretty well captures this list. Check it out, or just go with the above as the standards.
3. Trainings
In person training takes the cake and there is no true substitute for being able to ask questions irl. Many conferences (REcon, OffensiveCon, Infiltrate, Blackhat, etc.) have training as well as the conference and those are extremely valuable resources. There’s so many great in-person trainings, but for now, here’s one set of in-person trainings and some other resources for online options. The online offerings are certainly worthwhile and don’t require the same financial commitment. Now is a great time to look into these resources.
- REcon Trainings: REcon is consistently one of my favorite conferences. The classes are offered at affordable prices and are VERY high quality. For more info on REcon check out my personal video review.
- Open Security Training: This has tons of beginner to advanced trainings on topics. Hacking Techniques and Intrusion Detection, The Life of Binaries, Introduction to Software Exploits and Reverse Engineering Malware is recommended looking into. Obviously, there are many different specialities in the hacking world, so diving into whatever you find most interesting and wandering down the rabbit hole is also recommended.
- Pentester Academy: Right now many of our engineers and analysts are at home utilizing Pentester Academy courses to help develop their skills. They get great reviews and some of the Fortego team’s recommendations include x86 Assembly Language and Shellcoding on Linux, Exploiting Simple Buffer Overflows on Win32 and Reverse Engineering Linux 32-bit Applications.
4. Online Resources
Several helpful picks didn’t fit neatly into the above categories. To get some ideas on what specific topics exist in the CNO/CNE/Hacking world, check these out.
- GitHub’s Awesome Malware Analysis: A big ol’ trove of things to read and explore about malware. There are a ton of these Awesome Lists around github on specific subtopics in the CNE/Exploit Dev realm. Just feel free to explore!
- Mobius STRIP Reverse Engineering: Rolf Rolles’ Best of is where it’s at if you wanna read things. But beware, this is very dense.
- Exploit.Education: Wasn’t sure where else to put this resource, but it is excellent. All kinds of security specific training and examples are available here and another self-paced, online resource.
- InfoSec Twitter: Don’t be afraid to reach out or explore infosec twitter. Honestly, it keeps me up to date with interesting articles, and while it contains a whole lot of “Well, Actually”, it’s a generally cool place to find more resources.
By no means a definitive list, think of the resources in this post as references and starting points to explore more of the security world. There are so many excellent ways to learn about exploit development and hacking. The barrier of entry for these is relatively low, meaning you can explore these in your spare time and/or on your own dime. Happy hacking!
Of course, experience is the best and most practical way to move forward in a CNO Development career. Fortego offers plenty of opportunities in Computer Network Operations from CNE to CND, from analysis to development. If you are interested in our careers, please visit our Careers page to apply.