My Favorite InfoSec Learning Resources
I am always learning new things about security, and sometimes mentor junior team members on where they can learn new skills. I find that a successful practitioner is one who not only spends time understanding the security concerns, tools, and skill sets, but also the underlying technologies to be protected as a normal user would.
This may mean spending time understanding the life of a sysadmin for OS protection, programming for securing development, cloud administration, etc.
I am not an expert in all these areas, but I love to broaden my view. Here, I wanted to share the learning resources I find myself returning to when I need a refresher on something, or assets I suggest a colleague leverage to skill up quickly.
Security Books
Penetration Testing by Georgia Weidman. This is great for everyone in the field, pen tester or not, because of how Georgia lays out the tools and processes a pen tester can use, along with common vulnerability findings.
Securing Devops by Julien Vehent. This book took me by surprise with how good it is. The best book I have read for understanding the many facets of real security programs in modern companies - devops, cloud security, log centralization, and more. It's also probably the quickest read on this list.
The Practice of Network Security Monitoring by Richard Bejtlich. I love this book from a defensive perspective, as it teaches all about setting up network monitoring and detecting and reacting to intrustions. I am still working my way through it.
The Art of Software Security Assessment by John McDonald, Mark Down, and Justin Schuh. This book is a beast to get through, but is the seminal text on assessing a piece of software from a security perspective. It is thorough and detailed, walking through proper processes, strategies for tackling an audit, and a huge variety of vulnerabilities and how they present.
Gray Hat Hacking by multiple authors. This is a great second security book, after Penetration Testing, for getting your hands dirtier. I find the examples tend to run a little light on the theory, requiring follow up research and reading, but that's not a bad thing. This book walks through a little of everything: fuzzing and finding 0day's, web app pen testing, running scannings, network attacks, OS attacks, and more.
Open Source Intelligence Techniques by Michael Bazzell. This walks through many ways to find information online. Some of it is basic (google hacking and leveraging search well), and some of it is advanced. The book is focused on individuals, but the concepts can be leveraged to anything. The flip side of this is an excellent guide to privacy. His website is a great resource for both as well.
How to be Invisible by J.J. Luna. This may not be strictly a security professionals book, but it does outline a number of ways to protect your assets, privacy, and security both online and off, using a variety of legal tricks and security practices.
The Web Application Hackers Handbook by Dafydd Stuttard. I was a little conflicted putting this here because the book has a lot of proprietary tool stuff, though I still think it is the best book to learn classes of web application vulnerabilities and how to find them.
Capture the Flag / Hands On
After reading theory, and perhaps running specific examples or labs, I like to practice in slightly more open environments. Here are the ones I have enjoyed the best, keeping in mind that there are many more available than I will ever have time to try. If something sounds interesting - try it!
Over the wire - Natas is great for web pen testing, and the rest for coming up to speed on things like buffer overflow and memory corruption. I haven't completed everything on the site, but I always learned a lot. All the challenges are free.
Pentester lab - an excellent site for learning, with a structured approach and courses. Unfortunately, it's a modest investment on an ongoing basis.
Vulnhub - Download lot's of (Free!) vulnerable VM's. If you are just starting out, try out the Kioptrix series (1-5), Minotaur, pwnlab, stapler, and VulnOS.
Hack the Box - One of my favorite sites. VPN into their network and have fun! There is a small hacking challenge to get an account. They have a Pro version, but the free one is plenty for part time learning.
Fuzzy Security Tutorials - More a mix of tutorial, VM exploit walkthroughs, and overviews of concepts - this site has many interesting resources for learning aspects of hacking.
Here are a few good cheat sheets: enumerate network services, reverse shells, and one for privilege escalation (it's a little old, but still relevant - the methodology is what counts.).
Programming
I'm a programmer by trade and only entered the security field later, so I am less versed in early learning. I first learned programming by picking up an introductory C++ text and working my way through it cover to cover, before entering college. I picked up some bad practices, and missed some important concepts doing it this way, so I usually recommend structured courses to start.
I recommend starting with Python if you are new to programming. It is easy to read compared to some languages, has relatively simple tooling, and is frequently used by the security community.
Udacity programming track - Start with Introduction to Programming, and go on to Design of Computer Programs. The second one in particular is one of the best programming courses I have ever taken, including many university courses. Both of these should be free, but Udacity has many paid courses and I have always found the content good.
Developing iOS 11 apps with Swift by Paul Hegarty if you want to learn iOS development or mobile more broadly. This is probably less helpful to security practitioners unless you are specifically working with mobile app development teams. This would be a very challenging first programming course, as he assumes the student is already familiar with most programming concepts (data structures & OOP specifically).
The Go Programming Language by Alan A. A. Donovan and Brian W. Kernighan. I prefer Go for command line tooling over python for a number of reasons. Mostly, I find that a compiled language removes all the local dependencies that Python comes with, and the golang compiler makes it easy to build for different systems.
Certifications & Courses
I really like structured learning. Unfortunately, I have not found many courses that I really like. I have taken some great SANS courses, but can't recommend them due to their high cost, unless your company is paying.
The same is true for certifications. The two I think are most valuable over all are the CISSP (requires 5+ years experience) and the OSCP. Others may be a good investment depending on target jobs and employers, especially Security+.
With all of that, there are really only two things I can recommend, with the caveat that I personally have not completed either.
Pen testing with Kali by Offesive Security. This is the official OSCP preparation course, and is highly touted in the community. It starts at $1000, which is not very expensive considering other top tier classes.
Pentester lab as I mentioned above. Their pro service has some excellent courses and hands on. A lot less investment to get started at $20/month.
Ongoing Reading and News
Often, I find I learn the most when I stumble across a newly discovered exploit or vulnerability, then take the time to research how it works. Most of the CTF challenges and formal training options will cover only a subset of real world attacks. Reading the news will broaden your understanding of attacks that need to be considered in production environments.
Additionally, attacks like encryption downgrade attacks, cache poisoning, or phishing are rarely well represented in training labs. Reading about real world attacks and defenses help greatly in this regard. Here is a list of news and infosec sites worth following - there are too many to watch regularly, so pick the ones you like or use an RSS reader.
Bleeping Computer - News about current attacks and breaches. Most articles aren't technically deep.
r/netsec - a reddit community discussing vulnerabilities, exploits, and tools. Great for learning.
Naked Security by Sophos - Another news site about current attack trends.
Krebs - Great in depth write ups on security news, sometimes breaking news, and general security information
ThreatPost - yet another news site
Dark Reading - another popular security news site
Conclusions
There are tons of other learning resources out there. I didn't touch on many areas of importance such as networking, sysadmin, architecture, and cloud. Each of these is a domain of their own, and I learned them largely by doing and reading to solve problems in my day job.
My philosophy has been to learn continuously, and be curious. I investigate things I don't understand well, and prefer fundamental understanding over edge understanding. When given a choice on where to focus my time, I generally choose to focus on the broader concepts, which apply to more things, than specific exploits or vulnerabilites.
A good way to think about it is, if I come across an exploit that takes advantage of something I don't fully understand, I will take the time to understand the underlying system and how it works, rather than focusing on the exploit. Later, I can come back to the exploit with a much deeper understanding of how it was found and exploited, as well as all exploits of a similar class.