Hacker Story - Anugrah
Hi, my name is Anugrah SR. I’m a cyber security consultant for the SecOps group, and this is my story.
I get a lot of DMs asking me how I got into cybersecurity after graduating with masters degree in biology. I honestly wonder the same thing sometimes. How did I transition from having a scientific research background to cybersecurity? When I look back, I see a long path that I once believed would’ve been impossible. I don't know if it's fate, the stars aligning, or something else, but today I’ve been working on cybersecurity for more than 100 days.
The Dream:
Hollywood movies inspired dreams of black hoodies and a terminal with fancy green letters. I would be lying if I said I didn’t also dream of being a hacker, typing randomly on the keyboard and saying, “I'm in!” during my school days in the computer lab, I would find the IP address of my teacher’s computer and mess around using RDP: my first hack!
After a couple of years, one of my close friends Abhishek told me a story about a kid who hacked terrorist emails and helped to secure the nation. We gathered some of his books, which, of course, didn't make any sense back then. We tried to learn ethical hacking but all the efforts were in vain. After finishing school in 2015, I got into the Indian Institute of Science Education and Research (IISER) in Bhopal. The next 5 years of my life were spent amongst the brightest minds of the nation.
Biology Expert:
I opted to pursue my master's in life science because it was interesting to learn and there was a lot to explore. I tried my hand at lab work, cell culturing, and experimentation, but computational biology really caught my attention. I was more interested in learning how a simple combination of an ATGC codon and environment make a blueprint for what we are. I spent most of my days in computer labs and workstations to decode the secrets in genomic sequence, during which I learnt bash scripting and a bit of python that came in handy later.
At one time, social media was brimming with news on hackers defacing government websites. I was curious to know how anyone did this, and messaged a couple people in the field, but unfortunately, nobody replied. There were not many resources to learn about this type of hacking back then. After wandering around, I found it was mainly done by a vulnerability called SQL injection, which starts by including an ' in the URL and a couple of words, and BOOM! You have successfully hacked your target website.
The next most popular one was something called XSS, which works by putting a magic word <script>alert("hacked by XYZ")</script> into the target website, resulting in a popup. Going through a couple of hacker profiles, I saw they were getting Sony t-shirts and Intel's appreciation letters. Do companies really give freebies for hacking them??? I found this to be interesting, but strange. We only hear about people getting arrested for hacking, but why didn’t anyone share this side?
The Inevitable:
And then while I was at the peak of ecstasy, coding and decoding, slowly but steadily pushing my limits and improvising, to build a career from this passion of mine, society was struck by the COVID-19 pandemic.
One seemingly ordinary morning in March, my phone buzzed with an email notification to leave the campus ASAP. A lot of us students had our thesis works that needed to be completed, a farewell party to be dressed up for, and now, the uncertainty of when we will see each other again. That was the last time I saw my college campus and the people who made it home.
During the lockdown period, I started to apply for Ph.D. positions in and out of India. In the meantime, I also wanted to contribute something to the ongoing fight against COVID. So I joined OpenVirus as an intern, aggregating scholarly publications and extracting knowledge on viruses and epidemics under the guidance of Prof. Peter Murray Rust and Dr.Gitanjali Yadav from Cambridge University. I then got interested in looking at my long left Twitter account, where I saw a couple of people doing a challenge on hacking using the hashtag #100daystolearnandimprove.
How I learned:
Compared to earlier years, the number of resources from where you could learn hacking in 2020 was unimaginable. There were so many more blogs, free labs, YouTube channels, and “Capture the Flag” exercises (CTFs), the resources are honestly endless! After the Herculean task of submitting my master's thesis, I wanted to do something new, the only thing that came to my mind was to learn to hack – bug bounties to be precise. “Bug bounties” is a term used to describe the rewards that companies provide for finding security vulnerabilities in their websites. I started reading blogs, and looking at others' findings and found out that the issue of missing Sender Policy Framework (SPF) records was an easy bug to find and people were getting rewarded well with it so, I gave it a shot!
That was the first and last SPF issue I reported! What did it cost? I got negative points on H1.
On May 25th I decided to do #100daystolearnandimprove challenge because I felt that it was the only way I would learn more and be persistent.
Now looking back, I’m proud of my amazing learning curve. I learned about owasp top10, the amazing world of recon, and more. After 3 months of numerous N/A and duplicate bugs, I finally got my first bounty of $100 for reporting an application level dos attack. I was so happy that day. Later, I ranked into the top 1000 globally in bugcrowd. I was building up so much confidence during those 100 days. Whether it was because of the bounties or the dopamine rush from finding a bug, I started having second thoughts on my career trajectory. Rather than leaning into my degree and becoming a scientist, I was considering changing gears completely to cybersecurity
Infosec Twitter is a great place where (apart from the occasional drama) you can learn a lot and talk directly to experts in the field but the best part is the giveaways. When I received a 3month Tryhackme subscription from John Jackson, and Pentesterlab subscription from Sillydaddy, it really turned my life around. I spent days and nights solving labs and learning as much as I could.
If you are a beginner, I would highly suggest Tryhackme for the basics. Once you have a solid foundation down, you can move on to other resources.
Infosec internship:
One day I saw a tweet from RogueSMG that Securelayer7 was hiring based on a CTF challenge. A CTF challenge is where you are given vulnerable machines to hack and get a flag. At the time, with no technical background and zero relevant certifications, I was having this self-doubt about who was going to hire me.
All the job advertisements I saw required CEH, OSCP, engineering degrees, and 2-3 years of relevant experience. So I took these CTF challenges as my proving ground. I was able to solve most of the challenges and have a portfolio to attach to job applications. Within a week after two rounds of interviews, I was offered an internship position I will be forever grateful to Sandeep Kamble and Securelayer7 for taking a chance on me.
During my internship at SL7, my responsibilities consisted of application testing, client meetings, report writing, and more. These experiences at Securelayer7 made me confident that this was what I wanted to do, and that this was the right career path for me.
First job:
A couple of months later, I got an unexpected message from a friend, asking if I was interested in a full-time job at UST. He gave me a reference, and after a behavioral and technical interview, I got my offer letter for my first job as a cybersecurity analyst! I was able to work with most talented people in the field, updating and upgrading my skill sets and protecting the organization from potential threats. The cherry on top was when I became a Synack red team member in June, and I even delivered a talk on my infosec journey during Infosec Writeup’s first-ever virtual conference!
Ditching my lab coat for the white-hat was one of the best decisions I could’ve made for myself! I would wish to thank everyone who played a pivotal role in my life. This wouldn’t have been possible without the help of this amazing community and the networks I’ve made along the way.
"There is no way to know if this is the right decision or not, but it's better than living a life asking what if I had taken that decision."
Key Takeaways:
- Google is your best friend.
- Learn to ask the right questions.
- Don't expect someone to spoon-feed you. There are no shortcuts.
- Engage with the community and surround yourself with people with the same mindset as you.
- Network as much as you can.
- Give back to the community.
- Success doesn’t happen overnight. Be patient and persistent. There is no overnight success.