2. what?
• this presentation will discuss the things that you will actually need to
become a penetration tester, be prepared for a no-fluff honest
discussion.
• somewhat sarcastic, tongue in cheek, occasionally serious.
• based on my own personal observations on trends in industry and the
demand for security professionals.
• unfortunately much of the demand is for trained and experienced
people, not necessarily junior or intro level.
• please do ask questions and participate!
• otherwise you will hear me talk for 55 minutes straight…
3. wots a pentest?
• circumvention of security controls.
• identifying alternate functionality in a ‘system’.
• identifying alternate means of accessing functionality in a ‘system’.
• generally a very thorough logical and technical assessment of the
security controls and functionality in a ‘system’.
• wots a ‘system’? those things and people and processes that provide
business functionality and access to information. (app, end point,
protocol, physical…)
• wots a pentester? deliberate professional breaker of things. hacker.
• curious explorer? the definition changed at some point.
4. why?
• people seem to think that it is a sexy profession.
• oddly enough it is at least 50% boring and frustrating.
• then you write reports, that’s the exciting part.
• the actual exploitation is such a small part of the thing.
• there is an industry over emphasis on the ‘hacking’ thing…
• are you sure? it can be a lot of work.
• it really isn’t about the hack, it’s about making things better.
• don't get me wrong, i enjoy what I do, and a good root dance.
5. everything has changed…
• the industry re-invents itself every 5 years or so.
• which means that we have to do the same, evolve.
• everything has merged with technology.
• security must be inter-disciplinary.
• we must solve risk problems with people, common sense, science,
and technology.
• massive implications of interconnection.
• attacks against ci have an entirely new impact.
• security, safety, and privacy; it is a brave new world.
6. what to do
• threat modelling.
• attacker emulation.
• red team.
• identify objectives.
• project planning and resourcing.
• enumerate controls.
• sometimes we just login…
• discover vulnerabilities.
• exploitation, post-exploitation, passwords, pivoting, pillaging…
• reporting.
7. what are the top 10 thingies…
• probably the number one question, what are the top 10 coolest most
important hacking tools for penetration testers?
• what are the top 10 skills that are important to become the worlds
greatest hacker? make up lots of lies, plagiarize, and write a book!
• how do I become the bestest cyber hacker?
• can you hack my buddies hotmail for me?
• do I need a cool hacker handle?
• love the next two questions…
• do I really need to learn all that stuff to be a cool hacker?
• do I really have to work hard for many years to be a pentester?
• the best one: i have a $CERT or degree in * so that makes me an expert!!
8. what you really need
• attitude, aptitude, and initiative.
• desire.
• dedication.
• discipline.
• integrity.
• ethics.
• experience.
• knowledge.
• tools.
• so, how do I get me some?
9. tools?
• while somewhat important to the specific engagement the tools are not
as important overall. the most important things are:
• deep technical knowledge.
• expertise in what you are assessing.
• team composition.
• project planning.
• scoping (what you can test).
• rules of engagement (tests you can run).
• legality, morality, ethics!
• logistics and controls.
• understanding the goals and objectives.
• methodology! and creativity!
10. no honestly, which tools do I need?
• the only required tool is the matter most (some) people have between
their ears. brains.
• a friend of mine said that the only tools are perspective and perception…
the rest are just pretty accessories and squirrels and shiny things
• the honest answer is a web browser to do the recon and information
gathering, a project management tool for scheduling, and a database to
track target data in. scripting is very very very very useful. learn one.
• the remainder depend heavily on the nature of the engagement.
• it honestly isn’t about the tools, it’s about having the appropriate tool to
efficiently and effectively meet the pentest objectives. whichever tools
meets the requirements, they are mostly interchangeable.
• often pen testers talk about tactics, tools, techniques, and methodologies.
the tools are only relevant if they work correctly, for the most part.
11. ok, then what do we actually need?
• people with the training, painstaking attention to detail, experience,
analysis skills, and creativity to emulate attackers in a controlled
professional manner. oh and teamwork and soft skills, who can write.
• process, which includes determining the scope of the project, rules of
engagement, plus details like policies and process and procedures.
• technology. the tools are the easy part, anyone can download the tools,
which are readily available, but in the hands of an unskilled individual they
may do a lot of damage, and do not always achieve the objective of
identifying and demonstrating risk.
• pen testers are restricted by scope, legality, morality, and ethics, and there
are rules of engagement, always have both hands tied behind our backs.
we can’t do all the things that the attackers can do. bummer.
• you have to be the ball. what? (caddy shack)
12. no, what about me?
• how do I get to be a pentester?
• ask really good questions. then find answers. that’s it.
• honestly i have no idea, i can tell you what i did, and i can tell you the
things I would look for in new hires when i was a manager…
• my degree is in political science, but i have played with computers
and networks since the early 1980’s. i like to break stuff.
• i have always said that i can teach people the technology, but i cannot
teach good attitude, good team fit, problem solving, or curiosity
• why does this presentation seem like random rambling?
• why are your slides so boring?
13. what do I need?
• passion!
• interesting question in that we tend to think in terms of a single lone
wolf penetration tester, when the truth is that the best engagements are
run with teams.
• some of the skills that are required on that team are project
management, creativity, being methodical, analysis, and writing. am i
getting repetitive?
• some will need an extensive background in information security, and to
be very technical in their areas of expertise.
• team membership will vary based on the specifics of each engagement,
expertise in web skills are not as useful in a wireless or network test.
• oh, and someone to run the scanning tools. minions!
• a good security analyst and project manager are worth 100 testers!
14. what is the path?
• you may have noticed the theme to this discussion by now.
• highly technical and specialized knowledge moving into information
security as a pentester. they often have mucho academic background
and technical experience, may be self-taught.
• information security generalist willing to acquire technical skills to
become a pentester. unless there is mucho training budget often will
have to be self-taught. academics and certifications might help.
• it specialist: developer, dba, architect, network, sysadmin…!
• forge your own path, there is no spoon.
• must have a deep understanding what it is you are trying to pentest and
expertise in testing.
• i have met very few who started out their career as a pentester…
15. specialize, don't generalize
• penetration testing is not a junior role… it is a senior technical role.
• those who wish to follow a technical path over a long career soon
realize that they must specialize.
• being a generalist or on the path to management is good for some.
• not so much for others.
• being a member of an enterprise team leads to expertise.
• or a consultant.
• pick an area, you cannot do them all: physical, rf, locks, web
applications, end points, protocols, databases, wifi, ics, social
engineering…
16. where?
• mentors.
• communities.
• education, training, certifications are one way.
• being the security person on a team.
• taking the initiative and learning on your own, or a mix.
• boutique consulting firms.
• large consulting integration or services firms.
• many enterprises have red or purple teams.
• what the industry really needs are more blue team people who know
how offensive security works…
17. is that your final answer?
• no.
• it is up to you to learn, to ensure that you can do it.
• nobody else can do it for you.
• if this is your chosen career path, do not take no for an answer.
• make it happen, do it. now I sound like a broken nike commercial.
• do the hard work, learn what you need to learn.
• it isn’t about what others have done, it is your journey.
• make it your precious, your passion, you will make it.
• not everyone gets to be a pen tester, sorry.
• lots of openings in blue team. someone has to work in the soc.
18. questions?
was this the talk that you were expecting?
it is entirely possible that I do not have any answers that you will like
adrien de beaupré, lots of certs and stuff
penetration tester and SANS instructor
a member of the fellowship of the testers of pens
twitter @adriendb
adriendb@gmail.com
1 613 797 3912
http://www.intru-shun.ca
https://www.sans.org/instructors/adrien-de-beaupre