The lack of skills in cybersecurity has reached peak levels with more than 500,000 job openings in the field, while major cyber attacks threaten the horizon. Organizations are desperate to acquire this talent, and as a result, companies are using “ethical hackers” to strengthen their cybersecurity practices. These ethical hackers are experienced professionals who make a living by proactively finding flaws and vulnerabilities.
So how did these ethical hackers get started?
Unbound by the usual job requirements of a traditional role in technology, they are able to use online resources to self-educate, observe other hackers, and study tactics from existing professionals. By using these resources, novice hackers can find their specific passions in the field of cybersecurity and eventually make their own mark in the ethics of hacking.
Beginners should look here
When they first dip their toes into the world of hacking, beginners should use basic resources to familiarize themselves with terms, best practices, reporting on vulnerabilities, and other issues that they are expected to know in an organization.
Practice makes perfect
Sometimes the best way is to learn do. The laboratories below allow hackers to gain hands-on experience with various forms of ethical hacking.
- Pentesterlab: Practical approach to learning to hack.
- Portswigger Labs: Huge set of web application security labs that are completely free.
- Try hacking: Cyber security training platform and competitive hacking game where you choose between three streams: pre-security for basic, offensive pen testing or cyber defense.
- Hackthebox: Best known for being an ongoing worldwide competitive Capture The Flag (CTF). They also offer training “tracks”.
- Contra: Online platform offering a range of hosted labs designed to teach developers about application security.
- Hacker101.com: Online training platform for web security, created by the bug bounty platform Hackerone.
- Vulnhub: Platform that allows users to upload “challenge boxes” that are deliberately vulnerable virtual machines. The goal is to access root / system level on these machines by exploiting various vulnerabilities.
Learn from the experts
Ethical hackers are often eager to share their results, and beginners should follow them closely. Understanding how professionals approach their bug bounty work will help new hackers form their habits effectively. (Note: Some of these resources have not been updated for a long time, but even older material can be very informative!)
- Hackerone Hacktivity: Unlimited stream of revealed vulnerabilities on the Hackerone platform.
- Crowdstream: The Bugcrowd equivalent of Hackerone’s Hacktivity.
- Pentesterland: Provides a large, curated list of bug-bounty revaluations and resources for novice hackers.
- D0nuts blog: Mixed bag with lots of gemstones inside.
- Intigritis Medium Publication: Filled with lots of great bug bounty content.
- Secjuice: Non-profit publication that posts articles on cybersecurity, including CTF recipes, tutorials, methods, and more.
- Discover Labs: Sends a large amount of cybersecurity research from high-profile hackers.
Sit back and watch
Another good resource for observing existing hackers is YouTube content. Many notable hackers will post content around their work to share knowledge. New hackers can gain an understanding of careers, new results and how to work with corporate bounty programs.
- Liveoverflow: This YouTube legend on cybersecurity has released over 300 videos on a wide range of topics.
- John Hammond: Channel covering all kinds of topics including CTF reviews, programming tutorials, interviews, the dark web, malware analysis and more.
- Nahamsec: Makes “Recon Sundays” every Sunday where he streams recon and brings guests.
- STOK: Makes videos that mainly deal with bug bounties. He interviews hackers, documents live hacking events and publishes “Bug Bounty Thursdays” – an industry news update every week.
- Farah Hawa: Takes complex topics and explains them in a way that you will understand by breaking it down into basics. She describes different error classes, hacking processes and careers.
- Codingo: Creates bug-bounty-specific videos, including tools, hacking processes, recon, and more.
- PwnFunction: Focuses primarily on web application hacking.
- Ippsec: Creates reviews of HackTheBox challenge boxes to simulate looking over the shoulder of a professional.
- InsiderPhD: Makes videos about hacking, bug bounties, machine learning and more
- Hakluke: And last but not least, it’s me! Instructional videos, explanations of bug bounty reports, career and mindset videos.
Have fun with hacking!