Before I get into the main discussion, I want to introduce myself. My name is Jonathan and I am currently working as a Malware Prevention Reverse Engineer at Bank of America. I also have my brand (IAANSEC) and work as a security consultant/freelancer for other companies in my spare time because I believe one should always have a side hustle, especially in today's economy. I've been studying cyber security full-time for the past 4 years starting in 2019. I mainly studied on platforms such as:
- and more!
Like many others in this field, I grew up being very curious and loved learning. My interest in Cyber Security peaked in my senior year of high school. After graduating high school in 2016 I realized I wanted to get into Cyber Security as a career, but wasn't entirely sure where to begin. So for about a year I did some research in the field and learned a bit about Penetration Testing on Udemy and studied CompTIA study guides. Although during this time, I was working in retail full-time and proceeded to do so for the next 6 years.
Working in retail was dreadful, but the one thing that got me through the day was looking forward to going home and studying. I enjoyed the material that I was learning, once I got home around 11 pm after work, I stayed up and studied until 4/5 am. For about a year I spent my time studying the CompTIA study guides. I also had no intention of taking the exam for any of the CompTIA certifications because 1. I could not afford to spend that much money at the time and 2. I was still deciding which path in security I wanted to pursue. Around August of 2017 I was pressured into enrolling in college by my parents.
At the time my parents persuaded me that college was the best way to land the career I was aiming for. Since I did not have any other ideas on how to land a career in the Cyber Security field, I reluctantly agreed to enroll in college. Only a few months into college I knew this wasn't for me and this couldn't have been the BEST way to get into the security field... So I dropped out, this event was a decision and a life lesson I will never forget. At that point, I learned not to take advice from anyone as a final say so, I learned to ALWAYS come to my own conclusions. Some may ask if I regret dropping out of school, but I think dropping out of school was the best decision I've ever made.
Now that I was no longer in college I needed a plan because I refused to be stuck in retail. 2 years have gone by since I dropped out of college, and I started to take studying more seriously while still working in retail. There were days when I would bring my laptop to work and study on my lunch break. One day sometime in April, a Youtube ad showed up mentioning a Coding Bootcamp. Desperate, I did lots of research on coding boot camps and found a Bootcamp called Kenzie Academy.
I can't remember why exactly I chose this Bootcamp over others, but I did. Although Kenzie was my final choice for a coding Bootcamp, almost all coding boot camps are advertised the same "You don't owe us anything until you find a job!". ISA or Income Share Agreement was the biggest selling point for me when looking into a coding Bootcamp. Unfortunately, at the time Cyber Security boot camps weren't offering ISA and were very expensive. So I decided to settle with going to a coding Bootcamp instead since I figured I'd need to learn how to code anyways, I needed a solid foundation for learning how to code and there was potential for landing a job afterward.
The software development program was divided into two 6 month segments, the Front End and Back End courses. Fast forward to January 2020, I completed the Front End portion of the coding Bootcamp and it was a challenging journey. I learned a lot and also felt I learned enough to continue my studies in security, and apply what I learned from Kenzie to start creating my own projects for my portfolio. At the time I felt very confident about being able to at least land a development job, but months and soon 2 years started to go by after graduating from the front-end portion of the coding Bootcamp. After 2 years had passed, I still wasn't able to find a job in software development, not even land an internship.
During this time I was desperate to get into the field and wanted nothing more than to work in Cyber Security. I left the retail job I was working because I could no longer tolerate the toxic work environment I was working in. So I decided to study full-time and build up my LinkedIn network. During this time I transitioned from primarily studying Udemy courses to focusing on CTF sites like TryHackMe and HackTheBox. I practiced on these sites for hours a day on top of building my LinkedIn network and applying to jobs until I burned myself out and had to take breaks. I've learned so much about Cyber Security during this time, but I realized that I still don't know what position within security I wanted to pursue. So I did research into the different positions in Cyber Security.
While researching, I started to go down a rabbit hole looking into the different roles in the security field. Eventually, I came across Incident Response and did more research into the different roles within an Incident Response team and I came across, "Malware Analysis" the title alone piqued my interest. After looking more into Malware Analysis, I knew this was the role for me. Once I made my decision, I focused all my efforts on learning Malware Analysis. I started by studying all of the Malware Analysis content available on TryHackMe then bought a few books on the topic such as "Practical Malware Analysis" by Michael Sikorski and Andrew Honig, "Malware Analyst's Cookbook" by Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard and more.
I even bought a few Paul Chin courses on Udemy, with all of this material I felt more than confident enough to learn everything I could about Malware Analysis. A year goes by while studying full time, building up my LinkedIn network, and applying to jobs in the IT and Security fields. By this time I've acquired 1000+ connections on LinkedIn and felt confident that I'd be able to get some help from others in the community. I participated in security Discord servers, LinkedIn Cyber Security Livestream events, and more. Eventually, I started connecting with others that were also interested in Malware Analysis to exchange resources and other information to help me get a better understanding of the topic.
In late 2021, I received a connection from the President and Chief Revenue Officer of my first client as a freelancer. This was where I sort of had my initial break into Cyber Security as a content developer. My duty was to develop content for the clients' Cyber Security training platform which is used to educate its users on various cybersecurity topics. My main focus is dealing with malware analysis, computer science, and reverse engineering. Admittedly, this role wasn't something I wanted to do full-time, non the less, it still provided me an income and professional experience I could use on my resume. Things were starting to look up with this new role, sure the income wasn't stable but it was definitely enough to keep me on my feet while gaining valuable experience.
It is now the year 2022, and it's time to start fresh. I am still working as a freelancer and on the hunt for full-time work. At this point I am fully confident that I have what it takes to land a full-time role, it's just a matter of a company being willing to take a chance on me. For about a year now, I've applied to multiple Security Researcher roles as I feel they align with my experiences the most. My main technique for finding jobs is not to search for terms such as " Entry Level Security", "Entry Level Cyber Security Jobs" or any generic search queries like those, instead, my approach was to base my search on skills that I've learned during my studies.
For example, since the career I was aiming for was to become a Malware Analyst, I'd search for some of the tools used in Malware Analysis. So my search queries would be "x64dbg" or "Ghidra" since Malware Analysis was already kind of a niche role in security I could just search "Malware Analysis" or "Reverse Engineering" and sift through the results for job listings that best match my experiences.
Once I find a role that I'm interested in, I will reach out to a recruiter at the company and inquire about the position to show my interest. Here's an example of the inquiry that I'll send the recruiter
Hello <RECRUITER NAME>, I hope all is well, my name is Jonathan I am a Security Researcher I came across your job posting for a <JOB POSTING> at the company and was hoping I could chat with you to express my interest in the position. I look forward to connecting with you! Thank you
This technique has gotten me a lot of initial calls which led to interviews. I've been in a dozen interviews, some of which where I've gotten to the selection process but unfortunately was not selected. Even though I was not selected for some of the roles that I applied for, there was one interview that led to a great opportunity. Binary Defense reached out to schedule an interview, during this interview I had a great chat with Randy, the Vice President of Threat Hunting and CounterIntelligence at the company. Unfortunately, I was not qualified enough for the role but Randy was hosting a class on Reverse Engineering and he asked if I'd be interested in volunteering to be a teaching assistant for that class. Here is the course description
"This class is designed for technical security personnel who wish to gain skills in reverse-engineering malicious software for Windows operating systems. Although no prior experience is required to take the class, students who have some programming experience in C or another language will find it easiest to participate fully. The class will focus on disassembly analysis of compiled 32-bit DLL files written in C but may also touch on scripting languages such as PowerShell and Visual Basic that are used to deliver compiled malware payloads. Students will learn practical analysis and report writing techniques to pull the most useful information out of malware that can help inform threat hunting and detection engineering efforts and communicate that information effectively." - Using Microsoft Windows 11 Developer VM (free) and Visual Studio 2022 (free), write and compile a very simple DLL file for Windows in C that writes content to a file on disk. - Run DLL files from the command line using rundll32. - Using IDA Free 7, perform static code analysis of a very simple DLL file and explain its purpose. - Using x32dbg, set breakpoints and step through running the instructions of a simple DLL file via rundll32. - Create a Microsoft 365 Developer Tenant (free) for testing MS Teams, etc. - Use vcpkg to install static libraries for Libcurl and cJSON in Visual Studio 2019. - Modify the C code of a simple DLL project to send a simple message through Microsoft Teams via a webhook URL. - Using IDA Free and x32dbg, analyze the new version of the DLL and find the instructions responsible for network connections. - Using C source code provided by the instructor, modify the DLL project to be a typical Remote Access Trojan (RAT) capable of running commands, listing files and processes, and reporting the output to a Command-and-Control server. - Modify the DLL to allow execution using rundll32, regsvr32, and msiexec. - Using IDA Free and x32dbg, analyze the relevant portions of the RAT to identify the main command loop, commands recognized, network connections, and behavior-based indications of compromise that could be used by threat hunters and security engineers. - Write a tactical malware analysis report, focusing on actionable details. - Provide constructive feedback to other students about their malware analysis report. - Analyze another student’s version of the DLL with a few minor modifications and identify the relevant changes in functionality added by the other student. - Using strings and FLOSS, extract strings from a compiled executable file. - Using Python and C source code provided by the instructor, modify the DLL file to XOR encode some of the strings in the DLL project. - Using IDA Free, analyze the XOR decoding function in another student’s DLL to find the key bytes and decode the encoded strings. - Using C code provided by the instructor, modify the DLL project to detect when it is being run in a virtual machine or debugger, causing the DLL to modify its behavior when analyzed. - Using IDA Free and x32dbg, recognize the anti-analysis code in the DLL and patch the instructions to bypass the protections and analyze it anyway.
This course was only 3 months long but it gave me an edge in the experience I'll need to land a Malware Analysis role later on in the future. After completing the course, I feel taking the volunteer role was the right choice to make because I now have new connections within Binary Defense. Around April - May I continue my approach of reaching out to recruiters expressing my interest in roles at their company. While reaching out to companies I came across the company "Huntress" and one of their roles piqued my interest, so I decided to reach out to the CEO and said:
Hello Kyle, My name is Jonathan, I'm a malware analyst and I was interested in learning more about your company. I was wondering does Huntress host any paid intern/apprenticeships. It seems like a great company to work at with lots of growth potential. I look forward to chatting with you! Thank you
After doing so, Kyle reached out and wanted to schedule an interview for us to have a chat with him and his team. I was given a chance to chat with Kyle, John Hammond along with other members of the team and gain valuable connections. Unfortunately the role I experienced interest in at the company I did not have enough experience. Although disheartened, this did not discourage me, I continued my search and studies, not much time passed until I received an interview invitation that would be the interview that would make my 6-year-long struggle worth it.
In May, I received an invitation for an interview for Threat Analysis Intern role I applied for months prior for the company "IronNet Cybersecurity". I was more than confident I'd be able to land the job, and I did! Here is the job description as it was listed:
Our mission is simple: Deliver the power of collective cybersecurity to defend companies, sectors, and nations. For decades, companies have been defending against cyberattacks on their own while adversaries have been organizing themselves into sophisticated hacker networks, until now with IronNet Collective Defense. Bringing together some of the best minds in cybersecurity and an unmatched team of experts from industry, government, and academia, IronNet was born to more effectively defend enterprises, sectors, and nations against highly organized cyber adversaries and increasingly sophisticated attacks. - Research and create lead generation queries for C2 frameworks - Analyze C2 servers - Create queries - Analyze analytic results for additional use cases - Develop hunt queries for open search - Create common queries that look for malicious use
Once I was offered the role my start date was June 1st, and throughout the internship, the amount of anxiety and imposter syndrome I experienced was through the roof. I've had many sleepless nights just trying to get work done and lots of meetings with my mentors to get help with troubleshooting errors that I had and didn't know how to fix. Even though this internship was challenging I still learned a lot of valuable skills and information which I will be able to use later on in my career. I was allowed to work with AWS OpenSearch, ElasticSearch, work in the security teams development environment, and more! The projects I was assigned were to convert Scala hunt queries into OpenSearch queries and dashboards for the security teams to use later in the future. My second project was to create a wrapper for Open and ElasticSearch so that the security teams would be able to query the Open and ElasticSearch database from their CLI.
I am extremely grateful for this experience although it was only a short 2 months. Not only did I get to work on some great projects, but I also got to meet some great people during the internship, make lots of new connections and do some fun activities with the other interns. One of the activities was a book club where we were tasked with reading two books "Leaders Eat Last" and "The Happiness Equation" These two books taught me life skills that I would remember fondly throughout the rest of my journey (I don't want to spoil the books 😉). During the 2 months of the internship, I kept applying to other roles and was still getting interviews for other full-time times during this time from companies such as "Offensive Security", "Cisco", and "Macquarie" and more. There was one company that changed everything for me and was able to help me land the career of my dreams making $190K/yr.
With the internship coming to a close in less than 2 weeks, a recruiter from Apex Systems reaches out to me looking to fill a Malware Analyst role at Bank of America. I happily agreed to proceed with the interview, although I've been in countless interviews, interviewing never got any easier despite how confident I was. Fast forward to the day of the interview and everything went flawlessly, out of all the interviews I've been in the past 4 years this was the BEST interview I've been in.
Not only did I feel really good about my answers during the technical interview but I also had a chance to bond with the team as well during a few personable questions. Typical after all my other interviews I usually leave the call with a sense of anxiety and discouragement as I know the interview didn't go well. After 6 years of applying for jobs and interviewing I can proudly say that I've never felt such ecstasy after an interview, and with that said I was offered the role a few days later! It's been a long journey and extremely stressful journey getting to where I am today, In the end, it was all worth it.