Teach Yourself Information Security
Inspired by Teach Yourself Computer Science, this guide intends to provide a basic (and generally, free) set of resources for getting started with learning computer security while also answering the following questions:
- Which subjects should you learn, and why?
- What are some recommended books/video series/CTF challenges for each subject?
The consensus is that to build a strong foundation for infosec, you will want to start by studying networking, operating systems fundamentals (Windows & Linux), and some sort of scripting/programming language like Python or Bash. Study these first, and then dive into another subject (some of which are listed here) that piques your interest, if you want. There are many domains of infosec to explore.
§ The most important skill
Being able to research effectively is the most important skill that a learner can have. No one knows everything, you will inevitably forget things, and as your knowledge/experience increases, you will inevitably need to research questions that do not have a straightforward answer.
Bottom line: If you know how to find the answer to a question, you know the answer to the question.
Basic research guide coming soon, but some quick tips in the meantime:
- Google search operators allow you to look for data on specific sites, in specific formats (e.g. or
"webshell" site:github.com file:.aspx will return ASPX webshells on Github.com)
- In particular, adding quotations (e.g.
"reverse engineering malware") will search for an exact phrase, and prefixing a term with the minus sign (e.g.
-worm) will exclude results with that term.
- Typing the man or help command on Linux/Unix and Windows (respectively) before a command will give you more information on the arguments the command takes and how to use it.
- If there is a specific domain you're interested in, Google
awesome <topic> (e.g. 'awesome networking' or 'awesome osint'). This will bring up a lot of resources related to the topic you're interested in, typically in a Github repo.
If you have made a good faith effort to answer your question using available resources and still haven't found a satisfactory answer, it might be time to ask other people. This LiveOverflow Video goes over how to ask a technical question.
Networks facilitate communication between computers and understanding how they work is critical for nearly every other subject on this list.
- Computer Networking: A Top-Down Approach (Kurose, Ross) is a textbook that comes with (online/free) guided Wireshark Labs, PowerPoint slides, interactive knowledge checks/problems, and more recently, course videos. The supplementary website content can be used without the textbook.
- Professor Messer's Network+ Videos cover a broad range of networking topics and is structured around the objectives of the Comptia Network+ exam. These videos can be helpful for a quick reference.
- You can use certification guides as general subject study guides, without taking the exam (which costs money). A lot of IT certifications are glorified vocabulary tests that try to hit as many relevant points as possible, so they're excellent for rapidly understanding the basics.
- A certification is an exam that tests knowledge in a specific area of IT. See the Jobs/Certifications section of the FAQ.
- The Malware Traffic Analysis packet capture analysis exercises cover a range of different protocols, and includes solutions. Some of them are also available on the CyberDefenders CTF site.
- Building a Homelab involves setting up and configuring an isolated environment to experiment with computing technology. You might set up an Active Directory forest to practice implementing Windows security controls, a set of sandboxes to test malware, or anything else you can think of. This is the most hands-on way to learn networking.
§ Operating Systems
This is admittedly a large topic which consists of understanding the following, for both Windows and Linux operating systems:
- System Administration - necessary in order to navigate around the operating system, understand concepts like file permissions, and potentially implement security controls.
- Operating System fuctionality - important for understanding how programs (including malware) functions. You can probably get away with skipping learning this, but you will have a harder time grasping some concepts presented when you learn malware analysis / reverse engineering / digital forensics.
Like networking, learning how operating systems function is fundamental as the OS manages processes, memory, software, network connections, and hardware on the computer.
Resources for System Administration:
- TryHackMe's Windows Fundamentals and Linux Fundamentals labs take students through interacting with file systems, users/groups, settings/configuration, and basic OS utilities. These labs/rooms are free, but note that you will need to make an account and need to set up OpenVPN or use TryHackMe's in-browser interface, which does have limitations.
- For a completely in-browser (no setup needed) introduction to Linux functionality, try Linux Journey, which also has examples / exercises / built-in quizzes.
- OverTheWire Bandit wargame teaches students to navigate and use basic functionality of a Linux system via ssh (secure shell network protocol).
Resources for OS functionality:
- The Elements of Computing Systems (also called Nand2Tetris) takes students from building NAND logic gates to an assembler to programming a game (like Tetris) in a high-level language, giving you a pretty comprehensive understanding of how a computer works. It is project-centric, and there is also a 2-part Coursera course (free to audit) with video instruction.
- Windows Internals - there are multiple versions and volumes of this book, which goes over how Windows and core operating system functionality works. Version 7, volume 1 is nearly 800 pages. If you want to go nuts, read/skim the entire thing, but it's most important to read the first chapter, Concepts and Tools, which outlines fundamental concepts of the Windows operating system.
- Pavel Yusofovich, co-author of Windows Internals and a few other books on Windows has several courses covering Windows Internals on Pluralsight. Not free, but Pluralsight periodically has 'free weekend'/'free month' promotions. Worth mentioning.
- For hands-on practice, consider Sam Bowne's Windows Internals CTF, which is periodically run in conjunction with Windows Internals workshops that Sam offers at different conferences. You can still submit and check your flags, and each set of flags is presented in a lab-style format (with instructions & screenshots).
If there is a particular language you'd like to learn, go for it! However, Python is generally viewed as the best programming language for beginners to learn, as it is:
- high level, meaning that it is more abstracted from machine code and is more readable.
- versatile, and used for a wide range of subjects (including infosec). Many tools and scripts relevant to infosec are written in Python.
- widely supported - there are a ton of different online platforms that teach beginners how to Python, and abundant documentation.
In particular with programming, focus on understanding how to program with sockets, and make network connections with your scripts. Check out modules like Impacket and try using them in your scripts.
- Harvard's CS50 OpenCourseWare (free online course) takes students through fundamental computer science and programming concepts using multiple languages. It incorporates projects and is also available as an EdX MOOC course.
- Automate the Boring Stuff with Python is a (free) book that focuses on practical, hands-on scripting. Of particular interest is the Web Scraping chapter.
The C/C++ programming language is also recommended for beginners after Python, and is "lower-level", and are less abstracted from machine code compared to Python. In C, programmers directly interact with low-level infrastructure like memory and buffers. This makes C more challenging to learn. An understanding of C will be helpful if you want to do disassembly / reverse engineering, or otherwise have a better grasp on reading and understanding programs and how they interact with the operating system.
§ Open Source Intelligence (OSINT)
OSINT refers to collection and analysis of publicly available information, generally available on different parts of the Internet. Within the context of infosec, OSINT is used across multiple domains: incident responders may use it to identify the type of flaw exploited in a system, malware analysts may research domains and code snippets in an effort to attribute malware, and so on. Unlike other domains, the resources for OSINT are somewhat scattered because there are so many types of OSINT, which extends beyond the scope of research specific to infosec.
- Image/geolocation OSINT: Try Quiztime challenges on Twitter, which involves answering questions about an image or video after researching the origin/context.
- People OSINT: Try a TraceLabs Search Party CTF, where participants research missing persons cases and gather information that can be used by law enforcement. The Contestants Guide provides an overview, and includes link(s) to writeups on past CTFs. These CTFs are synchronous.
- Tracelabs also has active cases posted to their Slack/Trello, but are undergoing some organizational changes right now and are currently unavailable. These cases are not tied to a CTF and just exist for the community to work on collectively.
- Sourcing Games are a large set of CTFs originally created for recruiters/"sourcers." There is a good mix of challenges besides 'people'-oriented challenges.
Cryptography is built around mathematical problems/concepts. If you don't have a strong foundation in math, consider reading / skimming Mathematics for Computer Science, a free MIT OpenCourseWare textbook that has an accompanying online course. Reading through the Number Theory section is recommended for Cryptography, specifically.
- Dan Boneh's Online Cryptography Course provides an amazing overview of cryptography and includes videos and a free textbook (which comes with proofs and homework exercises). You can also take the course on the Coursera MOOC platform.
- CryptoHack is an online CTF platform focused around learning cryptography, focusing on "breaking bad implementations of "modern" crypto, such as AES, RSA, and Elliptic-curve" in an accessible way. Knowledge of a programming language (especially Python) is highly recommended. Some of the problems, like the 'Crypto on the Web' problems are very practical.
- Cryptopals is less gamified than CryptoHack, and has students program their solutions for each challenge from the ground-up in any language of their choosing.
§ Digital Forensics & Incident Response (DFIR)
Incident response involves immediate triage and response to a security incident (e.g. 'stopping the bleeding') whereas forensics typically involves retroactively 'stepping through' data in order to develop a comprehensive picture of what happened. These two fields are intertwined (and malware analysis may also be part of this), hence we are presenting them together.
- 13Cubed's Windows Forensics YouTube videos cover fundamental Windows forensics artifacts and concepts (like MACB timestamps) in a way that is easy to understand, with usage of modern tools provided as examples. These videos are also up-to-date, and relevant.
- 13Cubed (Richard Davis) also has other videos on memory forensics, and other DFIR topics. Probably the best collection of video resources on forensics.
- Incident Response and Computer Forensics (Luttgens, Pepe, Mandia) concisely and directly explains phases of the incident response lifecycle (preparation to post-remediation), gives an overview of forensic data collection techniques, and an overview of network and host-based forensic artifacts. It also presents case studies, which provides context on why certain actions are important. While this book was published in 2014, the fundamental concepts present - particularly, how to approach each phase of an incident - are still relevant.
- The Art of Memory Forensics (Ligh, Case, Levy, Walters) explains Windows, Linux, and MacOS memory forensics in depth, and utilizes the open-source Volatility (version 2) memory forensics framework. Labs and supplementary materials can downloaded from the book's website. Note that Volatility was completely rewritten (and is now much faster) and released as Volatility 3 in 2019.
- File System Forensic Analysis (Carrier) walks through a wide range of different file systems and strategies for analyzing file metadata and recovering deleted files. This book was published in 2005, but a lot of the material presented is still relevant. Resources like the Forensics Wiki can be used as a reference for newer file systems like ReFS.
- The DFIR.Training site is an excellent reference for many DFIR topics, and has a section that allows for filtering/searching different artifacts.
- The CyberDefenders Labs site has collected a lot of forensics challenges/images onto 1 platform, which is more accessible than accessing each challenge individually.
- Boss of the Soc (BOTS) is a team-based Splunk SIEM (Security Information and Event Management) CTF which challenges students to answer questions about realistic security incidents, and is of particular interest.
If you are doing DFIR, depending on the size of your organization, you may also be interested in Cyber Threat Intelligence (CTI). Intelligence-Drive Incident Response (Roberts, Brown) explains different CTI cycles/models and how they can be implemented into the incident response process.
§ Malware Analysis & Reverse Engineering (RE)
A prerequisite for malware analysis and RE is setting up an environment where you can safely detonate and analyze malware, and reset the environment back to 'normal' once you're done. This is generally done through the use of virtual machines (VMs), which are essentially emulated computers that you can run from your own machine (host OS) or the cloud (You can also use Docker containers). FireEye's FLARE VM is a Windows 10 environment that comes with a ton of preinstalled tools for both dynamic and static analysis. Note that you will need a Windows 10 ISO for it. REMnux is a Linux-based toolkit for malware analysis, and is especially helpful for analyzing malicious documents (maldocs)
When disassembling a sample, the disassembler will display machine language in Assembly language format, hence it will also be helpful to learn Assembly language (like x86), particularly for RE / binary exploitation. UoV's x86 Assembly Guide offers a straightforward overview.
- Practical Malware Analysis is a book that takes students through the basics of static and dynamic analysis, basic disassembly, and malware functionality. Each chapter has a set of labs which are downloadable via the book website.
- The amazing Sam Bowne periodically hosts an online PMA course (using the textbook and going through the projects) which he graciously allows any student to audit online for free. Check his website to see if he's teaching it soon, or use the videos/lecture notes from a previous iteration.
- Malware Analysis and Detection Engineering (Mohanta, Saldanha) provides a more gradual introduction to malware analysis (including chapters on Windows Internals, for instance) and has newer examples, but it is less widely available compared to PMA.
- Pwn.college is an online course that takes students through program functionality, Assembly, debugging and reverse engineering. Each module has videos and practice problems.
- Nightmare is an online course focused around CTF challenges to teach different RE concepts. Each challenge has a writeup and can be 'solved' using open-source (free) tools. Some of the
Resources for Researching Malware:
- Malpedia is pretty invaluable for tracking malware and associated threat actor groups. The site acts as an aggregator for information on different groups and malware families, providing easy access to high quality information on a specific type of malware you're trying to research.
- vx-underground groups malware sample by family and APT (advanced persistent threat) groups, with no account needed to download samples.
- ThreatFox IoC Database is constantly being updated with indicators of compromise (e.g. hashes, domain names, IP addresses, etc) for malware samples. Search by IoC, tag, or malware family. Also helpful for triaging incidents from a DFIR perspective.
For a more detailed discussion of resources for RE & malware analysis (including specific recommendations for learning about different types of malware techniques), see Hasherezade's How to start guide.
Penetration testing involves finding and exploiting vulnerabilities across an organization's computer infrastructure, which includes networks, operating systems, identity infrastructure like Active Directory, and applications/services. Emulating the different steps that an attacker can take as they move through a system is helpful for understanding how to defend against malicious activity.
- Penetration Testing (Weidman) walks students through setting up their exploitation environment and different phases of the attack lifecycle, including exploit development. Weidman has a YouTube Playlist with walkthrough videos to complement chapters of the book. While this book was published in 2014, the underlying concepts presented are still relevant.
- Note: Weidman is currently working on an updated version of this book per information posted to their Twitter account.
- INE/ELearnSecurity's Penetration Testing Student course takes student through prerequisite knowledge - including networking and programming fundamentals - before discussing different exploitation techniques. If you are looking to get started with exploitation right away, this is a good resource.
- Note: The course can be taken for free with the INE Starter Pass, though you will only have access to the course content (and not the labs). This course is used to prepare for the eJPT, which you can skip.
- HackTricks is an extensive collection of techniques across multiple areas of exploitation, and is a great reference for CTFs.
To practice penetration testing techniques, try exploiting some hosts on a CTF platform like TryHackMe or HackTheBox.
§ Web App Exploitation
Web apps represent a major part of how people interact with computers and the Internet on a day-to-day basis. Exploitation of them involves understanding different types of flaws in authentication/authorization and the way data is stored.
- Penetration testing encompasses this, but we are including it as a distinct section because many newcomers are specifically interested in studying web app exploitation so that they can pursue bug bounties.
- The OWASP Top 10 represents the most widespread / common web application vulnerabilities and is a standard for web application security. Click the hamburger menu (≡) > Top 10:2021 List to navigate to different pages explaining each vulnerability.
- PortSwigger Web Security Academy is a free self-guided set of labs/guides that explains web application vulnerabilies, providing hands-on labs for exploitation using the Burp Suite Framework. PortSwigger Academy was developed by the group behind the Web Application Hacker's Handbook and is updated as a living reference. Note that for some labs, using the Burp Suite Professional (not free) is advised - you can skip these labs or complete (some of) them with Burp Suite Community (free) Edition (which is admittedly a bit harder).
Use what you have. You don't need any specific hardware or operating system to learn. This includes Kali or Parrot Linux, two penetration testing-focused Linux distributions.
It will be helpful to have some sort of Linux command line interface from which you can install and run tools.
- If you are on MacOS or a Linux distribution, awesome! Use your installation manager of choice and plonk away.
- If you are on Windows, you may consider installing a virtual machine, or using Windows Subsystem for Linux (WSL).
§ What if I want something that will give me a bit of everything?
- SANS Cyber Aces goes over just the fundamentals. There are several hours of content here.
- Professor Messer's Security+ course videos are structured around objectives for the Security+ certification exam, so referring to the videos provides a good way to hit a lot of different points. Warning: there are ~21 hours worth of video content.
- SOC Core Skills with John Strand is a 16-hour (4 days x 4 hours) live/synchronous course with hands-on labs offered periodically through Black Hills Information Security Antisyphon. It is pay what you can and seems to be offered every 4-5 months.
- TryHackMe's Learning Paths offer a more structured exploration of infosec topics through CTF 'rooms', which contain instruction and hands-on exercises. Note that some of the rooms require a subscription, but most are free. You can also choose rooms individually to explore via the search tab.
- HackTheBox Academy also provides an instruction & exercise-based introduction on the HackTheBox CTF platform, with some of the introductory 'modules' being free, and others that need to be unlocked based on 'cubes' earned from completion of exercises or purchased as part of the subscription model or 1-time payment.
§ How do I get a job in infosec? What certifications do I get?
Ultimately, when you apply for a job, you are selling a story of what you did, who you are, and what you bring. In IT, employers care about many things, but these components can generally be broken down into 3 parts:
- Experience - the most important, this not only includes job/internship experience, but also personal projects like your homelab, or that blog post explaining some malware you analyzed, or the bot you wrote. It also includes volunteer experience, participation in CTFs, as well as community involvement.
- Education - for some orgs, this is a hard requirement. Studying Computer Science is one good option, as the curriculum is relevant to most areas of IT and you will develop strong foundations for how computers work. You can also do a cybersecurity program, but be sure to scrutinize the curriculum to ensure that you will be exposed to low-level (e.g. technical) concepts that are more hands-on than abstracted, or theoretical.
- That said, not having a CS (or STEM) degree is still very valuable - you just need to identify how and fold that into your story. For example, studying philosophy may mean that you are very good at dissecting and analyzing problems. Figure out how what you have studied makes you awesome, and be able to talk about it.
- Certifications - certs show that you passed a test, and can augment your experience as physical proof that you have knowledge in an area. Certs are valuable depending on your desired position and local job market, so do research using job boards to see which certs are in demand.
- Paul Jerimy's interactive Security Certification Roadmap groups security certifications by area of focus, with more advanced certifications towards the top. Hover over a cert name for more information (including costs).
- Some certifications are exorbitantly expensive, because they're priced for employers, not for individuals.
While having all 3 of these points is ideal, you can get a job with just 2, or 1 (but it will be more difficult). If you identify that you can't do 1 of the 3 points, supplement by doing more of what is feasible for you.
- /r/ITCareerQuestions Wiki is not specific to security, but answers a lot of common questions regarding IT jobs and generally gives good advice for getting into IT.
- Black Hills Infosec's 5 Year Plan into Infosec provides an outline on how to establish and progress your learning over 5 years of your career.
- Daniel Miessler's Build a Successful Infosec Career explains how to get yourself into the field, what to study, what certs you can get, and how to progress long-term.
§ How do I stay up-to-date on infosec topics?
If you generally want to stay informed, here are a few options:
- Join local (or remote) meetup or interest groups. Some popular groups which may have chapters near you include: 2600, DEFCON, OWASP, ISACA
- Twitter - follow different tags and groups of users and then use Tweetdeck to get a good view of things happening day-to-day.
- Email aggregation feeds/lists - Personal suggestions: I'm subscribed to the following email newsletters: SANS NewsBites (semiweekly summary of infosec news articles, with commentary from different subject matter experts) and Daniel Miessler's Unsupervised Learning newsletter which also has a podcast.
- Set up some sort of feed, be it an RSS feed using Feedly or a Discord server with a feed produced via the SocialFeeds bot.
- YCombinator's Hacker News aggregates news articles and blog posts relevant more generally to technology and compuer science. HNRSS provides several RSS feeds for it.
§ What is a CTF?
Per the Trail of Bits CTF Field Guide, Capture the Flag competitions "distill major disciplines of professional computer security work into short, objectively measurable exercises. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft."
CTFs are generally grouped into 2 categories:
- jeopardy style, consisting of individual challenges focused on different domains of infosec, such as forensics, binary exploitation, OSINT, IoT, etc
- attack/defense, where each team has vulnerable services/computers that they need to configure/defend, while also attacking other teams' resources
Here are some good asynchronous CTFs for starting out:
- OverTheWire Wargames are SSH/shell-based, have cute themes, and cover topics from the absolute basics of using Linux utilities to web security to exploitation techniques.
- PicoCTF is a beginner 'jeopardy-style' CTF that assumes no knowledge. If you are in middle or high school in the US, you can also win prizes. Available as a synchronous (e.g. time-limited) CTF and retroactively for play.
- TryHackMe is platform for learning security with 'rooms', which are either challenge-oriented (where you need to obtain flags with almost no instruction) or tutorial-oriented (instruction-heavy).
- HackTheBox is similar, but almost entirely focused around exploiting virtual machine 'boxes', and is less tutorial-oriented.
- The CyberDefenders CTF platform collects multiple blue team-oriented CTFs (e.g. OSINT, log/pcap analysis, maldoc analysis, memory/forensic analysis) in one place. You can search for a 'writeup' if you get stuck.
If you want to do a live / synchronous CTF that is more time-restricted, check out CTF Time.
Version -0.125. DM feedback to @wifi_ve