My Journey From An Intern To Associate Cyber Security Analyst
Hello all, my name is Kanak Sanpal and today I am here with my first blog in which I’ll take you all through a beautiful journey of my Career starting in Cyber Security.
So, I was in my final year of college, studying academics. Exams were scheduled for April; however, they were postponed due to the pandemic. Studying the same stuff over and again got tedious for me, so I decided to pursue a career in an area that I had always wanted to work in.
Although I was aware that there is a hacking-related field where we can also work and that is a little unique, but nobody was there to help me or guide me to the right path. So, I decided to explore the field by myself, I started connecting people from Cyber Security Domain over LinkedIn, started reading about it.
One thing I would like to mention here is Community of Cyber Security professionals is very helping and there are so many resources to learn from.
I spent a couple of months reading about it and interacting with cyber professionals, joined many forums, telegram channels where everyone was sharing very good stuff that gave me a good idea of what is in the Cyber Security field. Very soon I realized this field is not like you can read the theory and you are good; in this field, you must practice and think out of the box.
From different verticals of Cyber Security, I decided to start with Web Application Security. Practicing demo vulnerable labs gave me enough idea of vulnerabilities and gave me confidence that boosted my motivation to learn more and invest more time. In mid-April, instead of watching Netflix, I chose to play CTFs, infosec games, solve THM rooms and stay active on LinkedIn to grab different opportunities.
Over LinkedIn, I came to know that Detox Technologies was looking for Cyber Security Interns. I was excited just by seeing the post and applied instantly. Within a couple of days, I got a call from Detox Technologies and was interviewed with basic questions and my efforts in learning.
After 2–3 days I again got a call with “Good News” that I was selected for their internship program but that was an unpaid internship. I was super excited and happy as I cracked the first interview and started preparing for topics that were asked to complete before the start of the internship.
On August 5, I began my internship journey; initially, I had one-to-one training sessions on how the web works, what are the various technologies used, and what sorts of servers are used in the current scenario. Although I was familiar with them, comprehending the concepts again thoroughly clarified my fundamentals.
SURPRISE 😊
Just before month-end, I received a call from Detox management that they are happy with the dedication and efforts I was putting into the Internship to learn and practice what was being taught to us as a result they started my stipend. Seriously I never expected that I’ll get paid to study 😊.
Training started to get pace and later in the quarter, the topic transitioned from fundamentals to advanced concepts such as SQLi exploitation, XSS, access control vulnerabilities, and so on.
After every session, I used to read various blogs or articles on the topic being taught, as well as portswigger labs. After about a month, I received a web target to perform black box, and I reported low-hanging fruits. The process was repeated for a quarter, which paved a path of learning, discussions, testing, and reporting. The quarter review was around the corner.
So, we were asked to solve web goat as a testbed for quarter review. I started solving different versions of web goat where I found about JWT and WSDL as new concepts. And the day for quarter review finally came It was a nerve-wracking moment for me, but I was prepared. As it was going to determine whether my internship would continue.
The quarter evaluation went smoothly; I didn’t perform particularly well, but my fundamentals were clear, my internship was extended. In the latter half of my internship, I began learning advanced topics like HTTP smuggling, OAuth misconfiguration, web sockets, web cache deception, web cache poisoning, and so on. For most advanced concepts, Portswigger is a lifesaver. I was allocated different projects requiring skills to perform black box and grey box penetration testing. The procedure was carried out until the end of the second quarter.
When I was asked to pen test those live web projects, which was again a nerve-wracking experience for me because I had never done it before (P.S. Bug bounty is totally different).
But my mentors were lifesavers. They taught me a lot about how to run test cases, how to determine how parameters interact with databases, and what kinds of test cases one could run in a given scenario, how we define impact and severity, and, of course, good reports writing skills.
Later, when another quarter’s review was approaching, I was asked to pentest a web application exclusively for the purpose of putting my complete expertise to the test and demonstrating how much I can do. I took that as a challenge, so I conducted reconnaissance, discovered various flaws, and most importantly, my first CVE. I had no idea how to identify CVEs before, so I did some research, went on Google, and found one, prepared a report with description, impact, severity, CVSS score, and remediation. As I much I know I performed well according to my potential.
And finally, the big day arrived. I went through two rounds of technical interviews and one with a general discussion. I answered most of the questions with my whole expertise, ranging from web and networking basics to advanced concepts such as OAuth and HTTP request smuggling vulnerabilities. The last round of the final discussion brought butterflies to my stomach. I had no idea what was going to happen. And if anything makes me worried, I put on my lucky t-shirt. I was just asked one question. Even though I knew the solution, I felt it was the most challenging part of the journey. And I qualified for the round and received the confirmation.
However, as is customary, good things take time to manifest. And then there’s the mystery, instead of an offer letter, I received a two-month extension on my internship. But it didn’t appear to be an internship; I investigated new company policies, tested projects concurrently, and published blogs on a variety of domains in infosec.
Things were going well, and after a month, detox technologies planned a trip to Rishikesh [P.S. I promised myself at the start of the year that I would visit Rishikesh]. Finally, I traveled to Noida for the first time and met everyone with whom I had virtually communicated for the past 7.5 months.
We reached a beautiful resort and started enjoying the trip, we were having some discussions, were exploring the resort. On the second day after dinner when we all were discussing about normal things and were trying to know each other, we all received a notice that the next day there will be 1–1 performance discussion and there will be annual appraisal cycle letter distribution also.
Everyone was a little nervous, but I was relaxed as I thought appraisals will be for full-time employees and I was just Intern. The next morning started a little early around 8:00 AM with 1–1 discussion, we all were waiting in the waiting area and one by one everyone was going to the discussion table, we literally saw everyone was coming with a big smile on face, that itself communicated that they were very happy with what they got.
Now it was my turn to be nervous and go to that discussion table and I believe it was the most exciting moment for me because instead of a performance evaluation, I received my offer letter, which was a big-big surprise for me. Trust me I got offer of what I was expecting.
I immediately made a phone call to my family and shared the good news with them. Now we all had 2 days left for the trip and with double happiness of appraisals.
We literally enjoyed every moment of our trip, went to diff places, clicked so many pics, played games did boating, rafting, and a lot more.
I would like to Thank Detox Technologies and Shitesh Sir for giving me this opportunity. I also received the Employee of the month reward after that, will be sharing more details with you all in my next blog where I’ll share what I learned and when I started feeling that yes Now, I have a good understanding of this domain and gained the required Skillset.
Stay tuned for my next blog, as I am planning to take you all along me in this awesome journey of learning during my internship.
Thanks again for reading till here
